Sunday, April 28, 2024

7 Key Lessons To Be Implemented For The Cyber Supply Chain

 


I am close to wrapping up the manuscript for my 16th book, which is about the Data Privacy Laws, and how to come into compliance with them.  In this piece, I focus on three key pieces of Legislation:  The GDPR, CCPA, and the CMMC.  Of course, I could not cover each and every page of these Legislations, so I just wrote about the major tenets and provisions that exist from within them.  I have even included a separate chapter that provides a brief framework as to how businesses can come into compliance with these Data Privacy Laws.

So, by coincidence, I came across an article this morning that describes the compliance efforts that Solar Winds took to help remediate and inform their key stakeholders as to the security breach that had occurred (this is more formally known as a “Supply Chain Attack”).  The author of this article points out the flaws and the inconsistencies which took place in this reporting process.

For example, on 10/30/23, the SEC filed a legal complaint against Solar Winds.  The actual text of this complaint can be seen at the link below:

http://cyberresources.solutions/blogs/Solar_Winds.pdf

Basically, the legal document that was filed accused Solar Winds of "misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened —  and increasing — cybersecurity risks.”

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/solarwinds-2024-where-do-cyber-disclosures-go-from-here)

But as this legal document came out, and made its way into the public, the criticism of the SEC started to pour in.  For example:

Ø  The SEC was too slow in addressing anything.

Ø  The legal document is just a “slap on the wrist” and does to prevent future attacks like this from happening.

Ø  The CISO took all the blame.

Ø  Any future hiring of CISOs will now be carefully monitored as a result.

Of course, there are other many complaints as well, but these are some of the major ones I found in the article.  But, it is interesting to point out here that the Cybersecurity troubles actually started for Solar Winds way b.  in 2018, when it made its filing for an IPO.  In its statements that were made, the SEC accused Solar Winds of simply making “boiler plate” assumptions about the particular level of Cyber Risk.  In other words, they offered no evidence to back up the statements that they had made, such as providing results into any Risk Assessment Study that they may have conducted of their digital and physical assets.

But as time went on, and as the weaknesses and gaps became more prevalent and known to the key stakeholders, none of the upper brass took any initiative to disclose them actually fully. Here is what the SEC even said about this situation:

“Even if some of the individual risks and incidents discussed in this Complaint did not rise to the level of requiring disclosure on their own … collectively they created such an increased risk …" that SolarWinds' disclosures became "materially misleading."

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/solarwinds-2024-where-do-cyber-disclosures-go-from-here).

But even despite these stark statements made by the Federal Government, the gaps and weaknesses only got worse.  And so from here, the story goes, nothing was done to remediate these holes, and as a result of it, some 1,000+ victims were impacted, ranging from the private sector and to the public sector as well.  Some of them included the smallest of the Mom-and-Pop Shops to the largest of the large, such as Microsoft, and various Agencies within the Federal Government.

My Thoughts On This:

So now, the big question is how do we go from here, to make sure that this is prevented.  Although I am by no means a compliance or Data Privacy expert, here are my thoughts, based upon my knowledge in my years of Cybersecurity:

Ø  *Stop the blame game.  Don’t’ simply make the CISO the first target to shoot at.  Everybody is responsible to some degree or another if a security breach does indeed happen to a business.  The first thing that should be top of mind is restoring as quickly as possible business operations as quickly as possible.  Then conduct a detailed forensics examination, to see what exactly happened.  Then point the fingers at who is to really blame.

Ø  *It should be Federal Law that companies, no matte how large or small they are, must report any security breach to key stakeholders, law enforcement, and the regulatory bodies within hours, and not wait for four days, which is the current allowance.

Ø  *It is a fact that Solar Winds depended a lot upon other vendors to carry out their work.  This is why this particular hack was called a “Supply Chain” one, because of all of the parties involved.  In my opinion, it should be a Federal Law that businesses have to show complete documentation as to how they have vetted and hired a Third-Party Supplier in this regard.

Ø  *The finger pointing must stop here and now.  Of course, this would only happen in a perfect world, not the real world in which we live today.  As a country and as a society, we need to be much more proactive and not reactive like we are today.  But, this only comes from leading by example.  In other words, if an employee is required to maintain a strong level of Cyber Hygiene, so should the C-Suite and even the Board of Directors,  for that matter.

Ø  *Just like the Department of Homeland Security (DHS) was created right after 9/11, the same needs to be said for a Department of Cybersecurity.  At the present time, the states are running rampant with creating their own Data Privacy Laws, which can vary greatly.  Therefore, we need some sort of central body at the level of the Federal Government that can create common Data Privacy Laws, as a well as a set of Best Practices and Standards so that everybody can have an equal playing field, so there is no more ambiguity.

Ø  *The sharing of intelligence and other types of data and information must be greatly increased, and this can only happen with a centralized body overseeing all of this.

If I*If a  Department of Cybersecurity were to be actually created, then all of the regulatory bodies and agencies must reside here.  By having them spread out across different arms of the Federal Government makes it much worse when trying to instill a degree of accountability.

SoSo, here are my thoughts on this matter.  More to come in the future.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...