Section 4 of the Biden Administration’s Executive Order on improving the nation’s cybersecurity focused on the supply chain. I wasn’t surprised.
The supply chain is especially challenging to secure because of its complexity.
Consider automobile manufacturing as a contrast. In this industry, engineers design each piece: auto frames, engine components, parts and sub-components – specifically for each vehicle. Each element has specifications that ensure durability and safety.
Conversely, think of a security buyer’s Proof of Concept (POC) and Procurement process. In many circumstances, compliance will demand solutions or desired end-states that can be addressed by any number of products. Rarely is there a defined set of specifications that the supplier builds to. When was the last time your firewall vendor custom made a product for you?
Sure, you can tailor the configuration, but it isn’t custom built for your specific purpose and nothing else. Instead, the supplier creates a product that has the widest possible applicability in order to capture the largest piece of the market. What’s more, every vendor is in a race to build, release, and deliver products quickly to keep up with a fast-moving market.
Added to this (and just like in the automobile industry), vendors are under pressure to deliver profits. In order to do so, something has to give. In the case of SolarWinds, the pursuit of profits caused them to compromise on security. We simply cannot let this happen again.
Security practitioners rely on other solutions to “watch” other products, but unfortunately, there are challenges with this, too. Again, in the case of SolarWinds, its endpoint detection solution had always flagged SolarWinds software as malware, so much so that SolarWinds recommended disabling the monitoring capabilities of its software in a Knowledge Base (KB) article.
So, what should we do?
Before the Executive Order, Jonathan Reiber of AttackIQ and I published a blog in Lawfare that outlined what we hoped to see from Biden’s Executive Order. One item that we didn’t explore is the Supply Chain. I’d like to examine a few thoughts here:
Any endpoint monitoring tool needs to have a robust program to monitor third parties, but without creating false positives. This will be pricey for endpoint vendors, but the benefits could be huge! Unfortunately, the expense of these programs, coupled with customers’ price sensitivities, will make this difficult to achieve.
The Executive Order acknowledges that software development lacks transparency, but the question is how to remove the veil to ensure that a supplier’s supply chain has not been compromised. For this, I recommend not reinventing the wheel, but rather looking at one of our international peers: France.
The French Government developed an agency, ANNSI, that identifies critical infrastructure (not just government infrastructure), sets standards for protecting that infrastructure, and then audits vendors that supply the software that protects that infrastructure.
The benefit of this approach is that software vendors do not look at the regulator as a competitor, and ANNSI does not “steal” software. Instead, it ensures the safety of French infrastructure by auditing suppliers.
One last note on ANNSI. As stated above, ANNSI does not apply its principles only to government infrastructure, but also to “critical” infrastructure. At Illumio, we have seen this agency’s involvement in French pharma, manufacturing, banking, and other infrastructure that is deemed “critical” to the French people.
It would have also helped in the Colonial Pipeline ransomware attack (which is obviously also critical infrastructure).
In many ways, capitalism and our fierce American independence may not make the two items above possible. Many Americans would not appreciate the government dictating how to run their business. So, what else can we do?
The answer is simple and many private sector organizations are already doing it: Zero Trust.
Adopting a Zero Trust framework ensures that if a supply chain attack occur, the event is compartmentalized.
The Biden Administration’s Executive Order agreed with this thesis. Section 4(i) states that critical infrastructure must have least privilege and network segmentation - in other words, they must apply the principles of Zero Trust.
Applying a Zero Trust framework does not obviate the need for auditing an organization’s supply chain. But even if the supply chain was fully audited for known supply chain hacks – Zero Trust protects against unknown supply chain attacks.
By auditing how a vendor brings in third party software to ensure it isn’t falsely flagged as malware, looking at software coding practices, and using complex passwords, organizations can help to protect the supply chain. That said, today’s bad actors (nation-state sponsored or sponsored by organized crime), will find a way. The question is how to limit the blast radius when it happens?
The answer is Applying Zero Trust– and last week’s Executive Order shows that the government is on its way!
Are you looking to meet the White House's Executive Order requirements faster? Learn how here or join us for a workshop where you'll learn how to design a Zero Trust architecture for your federal agency.