Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How Will Cybersecurity Change in Response to Mass Attacks?

Following the high-profile cyber attacks involving Microsoft and SolarWinds, government agencies are taking a closer look at the risks posed by third-party vendors and how they respond to incidents like these.

A digital image of a lock on a screen next to lines of code.
Shutterstock
Two recent and extremely high-profile cyber attacks have pulled even more focus to the issue of vendor security and the myriad problems that come when their systems are breached.

Most recently, an attack against Microsoft’s Exchange email servers in January exposed a mix of more than 30,000 public- and private-sector customers. Just a month before, SolarWinds and some 18,000 of its customers suffered a similar fate.

What the SolarWinds incident did to bring attention to the issue of supply chain security, the Microsoft incident magnified. But what, if anything, can government do to protect itself from threats concealed within proprietary software?

According to Maria Thompson, North Carolina's chief risk officer, there are two key things that governments need to do. The first is to identify that it is a problem, and the second is to analyze the government contracts currently in place with vendors to establish more strict controls. This effort means increasing transparency between governments and vendors in terms of reporting cyber incidents, in addition to establishing a plan of action should a vendor fail to comply.

“Greater transparency is needed across the board,” emphasized Thompson.

With transparency comes a great need for information sharing, particularly between vendors and their customers. With the recent cyber attacks, many customers were not immediately made aware of the breaches.

“I can tell you that a lot of state entities and local government entities, we’re quickly losing our trust in some of these solutions that we have because, you know, we find out after the fact — months after a data breach has occurred,” Thompson said.

This forces governments into reactionary mode, spending money and resources to remediate issues when their focus should be on operational activities. Ideally, though, governments could adopt a streamlined mechanism for more open sharing of information between governments and vendors.

Dan Stroman, senior director of public sector at CloudCheckr, explained that some government entities are shifting their systems to the cloud, as on-premises software leaves vulnerabilities, noting the SolarWinds incident. His belief is that cloud platform providers are taking the proper steps to show customers that this is a secure option.

“The cloud platform providers have made a huge investment in assuring the constituency, their customers, that they’ve got security really well covered,” said Stroman. “They have a lot of due diligence that they’re able to show.”

There are other steps that can be taken from a policy standpoint. For example, North Carolina has adopted supply chain security controls as part of the NIST 800-53 Rev 5 controls, and many other states are involved in similar discussions to improve visibility and controls. However, these risks are not something that state governments are able to handle alone and will require a coordinated effort between federal, state, and local governments working with the private sector. Pressure is also mounting for the federal government to implement a plan to help guide smaller government entities through these situations.

“It really takes a concerted effort at their level because we cannot do it at the state level by ourselves,” Thompson explained. “I think that’s the key thing … it has to go further up the chain for true change to occur when it comes to supply chain risk.”

A draft spending plan by the Cybersecurity and Infrastructure Security Agency looks to allocate more than $150 million in federal funding to Microsoft for cybersecurity in response to the recent hack, reported Reuters. Some government officials, including Oregon Sen. Ron Wyden, have expressed concerns about this move, stating that if this is the only solution, the government needs to re-evaluate its dependence on Microsoft.

The private sector can, and must, have a hand in enacting a plan of action in the case of another cyber attack, but it must be a coordinated effort with the public sector as well.

“The main thing that I would like to say about this attack is that I envision that more of these attacks will occur in the future,” stated Thompson regarding the Microsoft hack. “I think that it’s going to take a partnership between private and public entities to really figure out what’s the best approach in how to mitigate the supply chain risk. And we have to do it as a team effort; it’s not done in a vacuum.”


Government Technology is a sister site to Governing. Both are divisions of e.Republic.

Government Technology is Governing's sister e.Republic publication, offering in-depth coverage of IT case studies, emerging technologies and the implications of digital technology on the policies and management of public sector organizations.
Special Projects
Sponsored Stories
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
Sponsored
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.
Sponsored
As more people get vaccinated and states begin to roll back some of the restrictions put in place due to the COVID-19 pandemic — schools, agencies and workplaces are working on a plan on how to safely return to normal.
Sponsored
The solutions will be a permanent part of government even after the pandemic is over.
Sponsored
See simple ways agencies can improve the citizen engagement experience and make online work environments safer without busting the budget.
Sponsored
Whether your agency is already a well-oiled DevOps machine, or whether you’re just in the beginning stages of adopting a new software development methodology, one thing is certain: The security of your product is a top-of-mind concern.