The U.S. Needs a Stronger Commitment to Cybersecurity

By Andy Purdy (Chief Security Officer for Huawei Technologies USA & former White House Adviser on Cyber Security)

The Colonial Pipeline ransomware attack illustrated the vulnerability of America’s critical infrastructure to a security breach. Long gas lines on the East Coast and rising prices got people’s attention.

Data breaches have more than doubled over the past decade. Recent cyber-attacks have exploited the “trusted supplier” status of SolarWinds and Microsoft Exchange, among other companies, and raised concerns at the highest levels of government and the private sector.

The stakes are only getting higher as the Internet of Things makes everything more connected and we all become more dependent on 5G-enabled technologies. What’s being done to prevent cyber-attacks – and is it enough?

Last month, President Joe Biden issued an executive order to begin developing mandatory baseline security requirements for government agencies and the companies that do business with them. The Order states that the federal government must collaborate with the private sector, and with the National Institute of Standards and Technology (NIST), to develop and implement a zero-trust model that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification” from multiple sources.

Andy Purdy
Chief Security Officer for Huawei USA & former White House Adviser on Cyber Security

For example, federal agencies will now have to implement multi-factor authentication and encrypt data “at rest or in transit” to guard against unauthorized access.

These are important steps, but they really represent the bare minimum that companies should be doing.

Some aspects of the Executive Order are quite promising. For example, the government plans to launch pilot programs to educate the public about the security of software sold to the government. It’s a bit like “Yelp for government software,” providing information about whether a product is worthy of trust.

This is something that many of us have been advocating for years, not just for government contractors but for all companies. Given the sophistication of malicious cyber actors, we need an objective, transparent way of seeing whether networks and third-party products are as resilient and secure as possible. Just as there are generally accepted principles of accounting, there should be a similar framework for cyber security. We should move toward making cyber security and data-protection audits the norm for government, critical infrastructure, and publicly traded companies.

For critical products and components, we need independent conformance and testing programs that cover the landscape of cyber threats to make sure that requirements are met. The zero-trust approach being promoted by the U.S. government is a step toward  continuous supplier and product verification. For example, it continuously checks activity for red flags, such as whether information is being accessed from an unknown IP address. This is definitely moving in the right direction.

But those requirements apply only to federal agencies and companies that do business with them. For companies that don’t do business with the government, they’re simply guidelines.

Unless they are incorporated into procurement or other contractual requirements, they’re unenforceable.

Ideally, every organization should strive to transparently meet applicable standards and industry best practices. For example, every organization should use a risk-analytic tool like the Cybersecurity Framework developed by NIST. This would help them understand their risk posture and help guide their path to a more appropriate risk situation, given their business objectives and environment. It would be great if the SEC would require publicly traded companies to adopt this practice.

The U.S. government is also trying to promote better information sharing among private companies and federal agencies. Any company that contracts with the government will now have to disclose significant cyber incidents. “Our government got hacked last year, and we didn’t know about it for months,” explained Homeland Security Secretary Alejandro Mayorkas after the SolarWinds hack in December 2020. It wasn’t until a third party notified SolarWinds of the breach – and the company alerted the government – that the scope and importance of the event became clear.

With better and more timely information sharing about cyber incidents, the U.S. government and other experts may be better able to detect and thwart malicious activity. For example, with more awareness of what was happening to the various Departments that had downloaded SolarWinds’ software updates, authorities might have been able to identify irregular patterns of activity, determine that they were probably malicious, and take pre-emptive steps to minimize harm.  

An effective cybersecurity strategy has to be a strategic public-private undertaking on a global scale. The U.S. and other countries must work together more closely and share information more openly than they do now. Governments and companies must also leverage the decades-long effort to develop norms of cyber conduct. A United Nations group of experts from 25 member countries recently released a report on advancing responsible state behaviour in cyberspace. The findings of the report should be combined with other input and used to create cyber norms. Ideally, these eventually will be spelled out in treaties or potentially actionable Mutual Trust Agreements between countries, with international suppliers and operators signing such agreements both with their customers, and with governments of the countries where they do business.

It would be a major step forward if governments and global companies would subject themselves to auditable testing and verification processes for critical components and legal processes in the countries with whom mutual trust agreements are signed. This might be a step toward holding accountable signatory countries and suppliers who fail to conform to those norms, creating a framework for accountability around the world.

It’s good to see the U.S. taking cybersecurity practices much more seriously and with a greater emphasis on public-private collaboration, standards setting, and enhanced information sharing. But developing more secure and resilient networks and systems, and a more trustworthy software supply chain, will take time. This is an opportunity for the U.S. to work collaboratively – not only with its G7 and the G20 partners, but with China and Russia and other countries – to build a more rules-based order for cyberspace that has requirements steeped in standards and best practices, transparency and conformance mechanisms, and meaningful accountability. 

This article was first published by Forbes.com https://www.forbes.com/sites/forbestechcouncil/2021/07/30/the-us-needs-a-stronger-commitment-to-cybersecurity/?sh=10647e185daf

Related Articles

24th September 2021

Huawei: Innovating Nonstop for Faster Digitalisation...

Huawei’s annual flagship event for the global ICT industry – HUAWEI CONNECT 2021 – kicked…...

21st September 2021

Rethink Business through a 2050 Lens...

By Catherine Chen, Corporate Senior Vice President and Director of the Board, Huawei. To build…...

17th September 2021

Let’s Talk: Home Solar...

This podcast is a helpful guide to the world of home solar. We talk about…...