“I think the White House set some very aggressive time frames, which raised eyebrows both in the private sector and among government agencies,” says Allan Friedman, a senior advisor and strategist at the Department of Homeland Security's Cybersecurity and Infrastructure Security. But Dan Lorenc, a longtime software supply chain security researcher and CEO of the startup Chainguard, says he's been pleasantly surprised to see federal agencies actually adhering to the timelines set by the White House, perhaps an early indicator that the software supply chain security epiphany will have some staying power. The US government has a poor track record when it comes to actually following through on fixing its cybersecurity weak spots. “There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” “The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors,” the order states. It outlined requirements for federal agencies to generate guidelines, conduct evaluations, and implement improvements. The Biden White House addressed numerous aspects of government cybersecurity, with a specific section dedicated to the supply chain. But the magnitude of the SolarWinds crisis significantly raised awareness, sparking a year of frantic investment in security improvements across the tech industry and US government.Īn executive order in mid-May was one tangible sign of progress. They ultimately broke into fewer than 100 choice networks-including those of Fortune 500 companies like Microsoft and the US Justice Department, State Department, and NASA. In this case, it meant that Russian intelligence had potential access to as many as 18,000 SolarWinds customers. It laid bare how extensive the fallout can be from so-called supply chain attacks, when attackers compromise widely used software at the source, in turn giving them the ability to infect anyone who uses it. To say the SolarWinds attack was a wake-up call would be an understatement. It was a thread that would unspool into what is now known as the SolarWinds hack, a Russian espionage campaign that resulted in the compromise of countless victims. Sophisticated hackers had silently slipped into the company's network, carefully tailoring their attack to evade the company's defenses. A year ago today, the security firm FireEye made an announcement that was as surprising as it was alarming.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |