Modern software development has made our digital world more interconnected than ever because of the shift to the cloud and the increased use of microservices and open-source code. The interdependent nature of our modern digital infrastructure means cyber threats targeting any one software company or product can, unfortunately, have a broad impact across the industry. Therefore, the sector must change its approach to cybersecurity and come together to better defend against mounting cyber threats.
The industry must work collaboratively and in partnership with the government to share information about threats, mitigation methods, and prevention steps. While the Cybersecurity and Infrastructure Security Agency (CISA) has taken a leadership role in championing this type of collaboration, there is still work to be done.
To support collaboration among the public and private sectors, SolarWinds recently hosted a panel discussion in Washington D.C. featuring SolarWinds President and CEO Sudhakar Ramakrishna in conjunction with Congressman Darrell Issa (R-CA), Congressman Raja Krishnamoorthi (D-IL), and CISA Executive Assistant Director for Cybersecurity Eric Goldstein.
The discussion highlighted several key ways to help the industry become secure by design, including the role of collaboration in creating a strong defense, supporting responsible disclosure to increase information-sharing, and ensuring the industry invests in the people skills needed to defend against the newest threats.
Collaboration for a Strong Defense
The role of collaboration is critical in protecting the customers of private companies, as well as defending our country against foreign adversaries. According to Goldstein, CISA is leading the collaborative effort in public-private partnerships to “ensure that we are seeing threats before they manifest on American networks and taking action in response.”
And to support CISA’s initiative in promoting widespread collaboration, “we need a model where government, industry, and our international partners are seamlessly and frictionlessly working together day in and day out to combat the threats that we're seeing today and getting ahead of the ones that we're seeing tomorrow.” Companies can contribute to the industry’s collective defense posture by actively participating in transparent information-sharing.
Supporting Victims in Responsible Disclosure
The practice of reporting security vulnerabilities and threats in a responsible way is critical to make sure the sector has information about new attacks. The cornerstone of responsible disclosure is ensuring that fixes or patches are available when the issue is announced to limit the risk of malicious actors exploiting issues before they are fixed and users can protect themselves and their infrastructures.
The government should further incentivize companies for responsible disclosure and information-sharing. Unfortunately, this is not always the case. Given the risk that companies can be victim-shamed in the news media and even face punitive measures after disclosure, there is often a greater incentive for companies not to disclose. Ideally, the industry would foster an environment where victims can share their experiences and learnings without fear of retribution.
The government should further incentivize companies for responsible disclosure and information-sharing.
To achieve this, the government needs to incentivize companies to come forward and ensure the proper systems are in place to allow companies to disclose their vulnerabilities adequately and responsibly.
Secure by Design: A Proactive Approach
To successfully navigate the modern threat landscape, companies must become Secure by Design in the software development process. This means integrating security measures throughout an entire product lifecycle, from inception to deployment. Ramakrishna shares an analogy: "You don't think about the airbag in a car after the car is manufactured and on the road. You think about the safety of that as you're designing it.”
Similarly, Secure by Design incorporates security as a foundational and inherent component of systems and applications. As a result, developers can minimize the attack surface and proactively identify and address vulnerabilities.
Under the Biden Administration's National Cybersecurity Strategy, which includes the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), companies must adhere to guidelines to strengthen our nation's overall cybersecurity posture. One requirement from these guidelines includes the generation of a Software Bill of Materials (SBOM), which is like a receipt of each component, library, tool and process developers use in the build process.
SBOMs are a critical step for improving the security of software products by providing visibility into their composition. According to Krishnamoorthi, “we need radical disclosure and radical sharing to make sure that everybody can learn from the attacks that are going on.” As part of a more significant, nationwide Secure by Design initiative, SBOMs introduce a new standard for transparency and openness in the industry.
Building the Skills Needed
With more than 3.4 million open positions in the field, the demand for cybersecurity experts is higher than ever. This results from a lack of qualified individuals available to fill the roles. During the panel, Krishnamoorthi recommended allocating additional skills and vocational training resources to solve this issue. This would require increased incentives and implementation of training in high schools and community colleges.
Additionally, the government still needs more individuals to fill these roles. To accomplish its mission of collaboration and transparency, the government needs more support from the private sector. Ramakrishna suggested that software companies allocate the equivalent of one trained, full-time employee to support CISA and foster information-sharing across individuals, companies and government agencies. This designated liaison would be a champion for working collaboratively with CISA and help ensure robust public-private partnerships amid the evolving threat landscape.
Why it Matters
Highly sophisticated nation-state hackers pose significant threats to the security of our nation's, and global digital infrastructure. By working together across the industry, we can build a resilient defense against cyber-attacks and protect our digital ecosystem. Cyber resilience is not just about preventing cyber-attacks but recovering quickly – and having a plan to identify and contain the attack. It is a shared responsibility requiring the cooperation of governments, businesses and individuals.