As agencies are scrambling to recover and build up their cybersecurity from the Russia-backed hack of thousands of government and private-sector networks via SolarWinds Orion products, Federal agency leaders say it will not be easy.
During a Feb. 11 virtual event hosted by ATARC, Jaime Noble, the chief information security officer (CISO) for the Office of Chief Information Officer, Office of Justice Programs at the Department of Justice (DoJ), said “I definitely think it’s going to be an uphill battle,” in regards to recovering from the SolarWinds breach.
“We need to pay more attention to supply chain, and it’s not going to be easy. We’re going to need to work with our vendors and the private sector, and we’re going to need to come up with a framework for how we’re dealing with all of this,” Noble said.
“It hasn’t been easy dealing with our partners and our vendors and putting clauses in our contracts now for the products that we’re using about if they have a breach in their network and their corporate network, how we’re advised about that, how that impacts us, and what those interfaces are. And I think it’s just going to be even more challenging as we go along, but it’s, but it’s something that we need to do,” Noble added.
Noble said in terms of preventing incidents such as the SolarWinds breach, “identity and access management” will position agencies to be better protected against cyber hacks.
As for Andrea Simpson, CISO at the Federal Communications Commission (FCC), she said the FCC is currently in the process of moving legacy environments to use a multifactor identification.
“I’m literally in the infancy stages of defining out the framework for the trust factor within the FCC and kind of saying, ‘Okay, what does it mean for FCC to trust?’” Simpson said. “What do those different assets mean in terms of trust and kind of defining ‘Hey, here’s what we say when we say we trust you.’ And then when we say that, what are the mechanisms to where we can validate that trust?”
Frank Husson, the branch chief at the Cybersecurity and Infrastructure Security Agency (CISA), said the focus for his agency moving forward is identity – not only knowing who has access to your data, but what, regarding machines, does as well.
“CISA has a pretty aggressive effort underway right now to provide guidance to both the vendor community, as well as the consumer community on the supply chain front. We’re trying to provide some guidance and suggestions on what types of questions should consumers be asking of the vendors when it comes to supply chain. Things such as use of third-party software components,” Husson said. “So that we as consumers have a better idea of the security practices they are employing in the development of their products.”