The Sunburst campaign, which includes the SolarWinds incident, is not unique in its type or frequency. Supply-chain attacks have been happening more frequently over the past seven or so years. As adversaries continue to rapidly identify vulnerabilities, coupled with the world’s increased reliance on digital connectivity, we face mounting challenges in preventing, detecting, and responding to sophisticated attacks.
Ultimately, threat actors have realized that their activities require low capital investment and yield high returns. So, we must continue to navigate these challenges because these attacks are not the Achilles’ heel of digitalization. Instead, they are a symptom of the exponential growth, innovation, and democratization of technology throughout our lives, including in critical infrastructure. We simply need a call to action for change and collaboration.
There are many aspects of technology that will shape our future, but near the top will be the supply chain and our dependence on wider technology ecosystems. This indicates a need to strengthen trust relationships with suppliers and other technology partners. The Sunburst campaign strikes at the very heart of these trust-based relationships. And while not unique, Sunburst remains the most widely covered software supply chain attack that we have ever seen and experienced as a society. As the facts continue to emerge, it is becoming increasingly clear just how disjointed our information network has become in the United States. Sunburst has helped reveal the gaps in that flow.
We will certainly see more cyberattacks across our technology ecosystem. However, given the attention to Sunburst, we have a unique and potent opportunity right now to improve our cybersecurity posture. When it comes to threat actors, we need to be more intentional about identifying, structuring, and leveraging the critical information related to these threats located in various sectors throughout the US technology ecosystem.
Recently, the Atlantic Council’s Cyber Statecraft Initiative, where I have participated and contributed to multiple products, released its full report on SolarWinds, titled “Broken Trust: Lessons From Sunburst.” The report outlines three overarching lessons learned from this attack. The first is that we have seen compromised software supply chains before; what made Sunburst a larger issue is the role of cloud computing as a target. Second, we could have done more to protect and prioritize federal systems. And finally, the lesson that I found to be the most salient: “Sunburst was a failure of strategy.”
So, what exactly does that mean? It means cybersecurity is about more than just deploying technology. It’s about more than just taking action with safeguards like zero trust, which requires the continual verification of users in a system. Cybersecurity is mostly about collaboration.
That is why I am happy to see Congress engaging on this topic. The federal government is well-positioned to help define a strategy for our technology ecosystem and foster collaboration across various sectors. The government can help create a safe and secure continuum of information flow that spans R&D at educational, private, and nongovernmental organizations, as well as the practical knowledge and application found within the private sector. All could fit within a progressive governance framework that is robust enough to define clear guardrails and purpose, but flexible enough to accommodate the nuances of drastically different sectors operating within it. On top of this framework should be a well-articulated national digitalization strategy, which includes cybersecurity as its core principle.
This is particularly critical as the federal government pivots to digitalize vast swaths of its infrastructure in the coming years. Digitalization and cybersecurity are two sides of the same coin. With continued digitalization, this risk will just increase. We can’t allow this risk to hold us back; cybersecurity is challenging, not paralyzing.
Additionally, we can no longer solely depend on data and technology to guard against hackers trying to break into networks. There’s another critical industrywide issue at play here: the talent gap. Cybersecurity positions are growing three times faster than other IT positions, according to a 2019 report from Burning Glass Technologies, an analytics software company providing real-time data on job growth and skills in demand. Additionally, the 2020 (ISC)² “Cybersecurity Workforce Study” estimates that there are roughly 3.1 million unfilled cybersecurity jobs worldwide. It’s crucial to radically recruit and train talented professionals, redefining what it means to be qualified so that more people can help us drive our digital journey into the future.
Finally, and most importantly, ownership will hold all this together. We all must accept extreme ownership of cybersecurity so that, together, we are stronger. Industry must be an active partner in driving needed changes, as both public and private stakeholders focus on a model of operational collaboration rather than simply sharing information. Only then will we be able to execute a sustainable cybersecurity strategy that allows us to build trust and secure our nation’s critical infrastructure over time.
The response to this public attack should lead to meaningful action that moves us forward. By empowering key leaders and organizations to make changes to improve America’s cyber posture, as the Biden administration has done so far, we can meet the challenge of this moment.
Kurt John is the Chief Cybersecurity Officer of Siemens USA, where he is responsible for the Cybersecurity strategy, governance and implementation for the company’s largest market — ~$23B in annual revenues. In this role, Kurt oversees the coordination of cybersecurity for … View Full Bio