The current US administration unveiled a new package of supply chain and critical infrastructure security initiatives on 25 August 2021. This following a meeting at the White House with about 25 tech, banking, insurance, and infrastructure executives. Little did the group know that an inexpensive solution has been available for 3 years: Wapack Labs LLC - Introduces RedXray: Wapack Labs
The initiatives feature a pledge by several companies, including tech giants Microsoft, Google and IBM and insurers Travelers and Coalition, and the US National Institute of Standards and Technology, to create a framework to build more security into the nation's technology supply chain to help ensure its integrity, according to a fact sheet released by the White House.
The Biden administration also plans to expand its Industrial Control Systems Cybersecurity Initiative a collaborative effort involving the federal government and companies that oversee US critical infrastructure first unveiled in July for the nation's electrical utilities to the oil and gas industry to help better secure the nation's network of interstate pipelines.
The White House also received pledges from several tech firms to spend billions of dollars on cybersecurity over the next several years. This includes Microsoft investing $20 billion over five years to integrate cybersecurity by design and deliver advanced security solutions, as well as Google promising to invest $10 billion over five years to expand "zero trust" programs, help secure the software supply chain and enhance open source security, according to the fact sheet.
Before this meeting, the President touted some of his administration's cybersecurity initiatives, including the executive order signed in May 2021 that will fundamentally change how federal agencies approach security as well as how departments buy and rate the software they use. But he noted that much of the responsibility to secure the nation's critical infrastructure and supply chain falls to the private sector. "The reality is, most of our critical infrastructure is owned and operated by the private sector, and the federal government can't meet this challenge alone," he said. "So I've invited you all here today because you have the power, the capacity, and the responsibility, I believe, to raise the bar on cybersecurity."
The chief security officer with Cybereason, notes that following a series of cyber incidents, including the supply chain attack against SolarWinds and a series of ransomware attacks starting earlier this year, now is the time for both companies and government agencies to invest more in their security defenses. "If we have learned anything since the SolarWinds breach opened the floodgates, the public and private sectors need to invest now to ratchet up prevention and detection and improve resilience," he said.
The meeting at the White House included discussions among several top administration officials and the leaders of several US companies, including Microsoft, Apple, Google, IBM, Amazon, JPMorgan Chase, Bank of America, Travelers Resilience, American Water, ConocoPhillips, Duke Energy, and PG&E among others.
Before the meeting, a senior administration official noted that it is impossible to address cybersecurity from a government standpoint alone. "We're sincere when we say cybersecurity is a matter of national security and the government and public sectors must meet this moment together," said the official, who spoke on the condition of anonymity.
While the executives met with the President for about an hour, they also met in smaller groups to discuss three issues: critical infrastructure, risk assessment, and cybersecurity education and training. While Congress is working on several bills that would require companies to report cyber incidents and would create new regulations, White House officials signaled that they want companies to adopt voluntary standards first to improve their security.
The president and CEO of the Global Cyber Alliance, notes that while these meetings seldom produce significant results, if the White House can convince companies to adopt better security standards without a specific mandate – it is a step forward. "If this is a start to build private sector buy-in to setting standards and near-mandatory implementation of effective requirements for critical infrastructure cybersecurity, I'll dance a jig," he explained.
The bulk of the initiatives focused on shoring up the nation's supply chains, including the agreement between NIST, the tech companies, and insurance firms. The participants did not release specifics, the White House notes this initiative will "serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open-source software."
The White House also received a separate pledge from Apple that it would work with its global suppliers, including 9,000 firms in the US, to improve security along the iPhone maker's supply chain, which will include mass adoption of multifactor authentication, security training, vulnerability remediation, event logging, and incident response.
The former member of the US National Security Agency's (NSA) elite hacking team, says the Apple commitment is particularly intriguing, but he wants to see the company commit to improving security within its software, especially iOS, which has been targeted by several zero-day attacks. "While it is very encouraging that Apple is focusing on ensuring supply chain security, their iOS operating system continues to be a black box for defenders," he says. "This prevents relatively easy detection of exploitation of these devices, as was observed recently with NSO Group. Zero-day exploits in iOS will remain an outsized threat until network defenders can gain visibility into operations on these devices."
While all the press statements and photo opportunities were presented to the public, Red Sky Alliance continues to help protect companies and their supply chains with an inexpensive and easy-to-use cyber threat notification service named RedXray. Jim McKee, CEO of Red Sky Alliance stated, “I am not surprised at the recent attention that has been paid to supply chain breaches, but we have effectively protected supply chains since December 2018 with our RedXray services with no fanfare or White House visits.” Information and enrollment for RedXray services can be found at https://www.wapacklabs.com/redxray.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
Comments