On Tuesday, March 23, 2021, Pondurance Chair of the Board Niloofar Razi Howe testified to the Defense Subcommittee of the House Appropriations Committee on the future challenges in government and cybersecurity. In her testimony, she described the top areas of concern and proposed options to create resilience to these issues. She outlined top cybersecurity challenges including the use of U.S. infrastructure by adversaries, supply chain risks, and an overall lack of information sharing.
The Use of U.S. Infrastructure by Adversaries
We have created an unintended lawless zone that our adversaries have no problem exploiting. This includes an intelligence blind spot created by a legal framework that prohibits U.S. intelligence agencies, like the NSA, from conducting operations inside the U.S. Our legal processes move too slowly for the FBI to be able to disrupt operations. Our current approach relies on voluntary information sharing and incident reporting, which is rare. If we don’t make changes to our processes, our adversaries will continue to successfully launch operations against us.
Supply Chain Risk
The SolarWinds and Microsoft Exchange attacks shed light on the fact that we are only as strong as our weakest link, and when we rely on vendors, we may be letting in bad actors. Long-term cyberattack campaigns focused on supply chain vulnerabilities can be very difficult to detect and have proven to be incredibly productive for bad actors. In the SolarWinds attack, Russia laid dormant for months, introducing back doors and stolen keys into various technology infrastructure companies. This specific attack was discovered by cybersecurity firm FireEye, one of the victim companies, but only after running forensics on thousands of machines and even more files. The amount of resources needed to uncover the SolarWinds attack could only be accomplished by a company like FireEye that has the staff and expertise in place.
Lack of Information Sharing
FireEye was not under legal obligation to disclose its discovery of the SolarWinds breach. Our regulatory framework primarily focuses on data privacy and breaches affecting personal information, not widespread cyberattacks by nation-states. Voluntary disclosure is rare and often brings legal liability that most organizations are not willing to inherit. With the SolarWinds breach, we would not have the technical details to defend ourselves if FireEye did not voluntarily disclose the information it did.
SolarWinds and the Microsoft Exchange Server breaches are not unique campaigns. There have been many before that were similar, and there will be many more in the future. It is fair to assume that malware resides in our infrastructure with bad actors waiting to use it at the right time. Read Niloo’s full testimony to get her take on current cybersecurity trends and recommendations to build resilience: Testimony to the Defense Subcommittee of the House Appropriations Committee.
While the threat landscape will remain dynamic, a few key trends are worth focusing on. We highlight the trends that Niloo shared with Congress in our next blog, New Technology Accelerates Opportunities for Cyberattacks.