US Supply Chain Cyberdefense Approach Needs to Assist Small Businesses
The U.S. witnessed an “uptick” in ransomware attacks during the pandemic, particularly small businesses. And if those small businesses were offline even a couple of days, “the impact on their supply chain was so significant” that manufacturers turned to other small businesses to replace those affected, said Kiersten Todt, managing director of the Cyber Readiness Institute Tuesday.
“When we lose small businesses, we lose key components of our global supply chains,” Todt charged during yesterday’s U.S. Chamber of Commerce Cyber Conference.
As Congress, the Biden administration and federal agencies grapple with modernizing their systems, deciding on cybersecurity standards, setting up incident prevention and response plans, preparing and revamping the cybersecurity workforce, and everything else that needs to be done to get ahead of adversaries and cybercriminals, Todt restated the importance of helping small businesses meet the challenges.
Todt’s comments came prior to the House Committee on Science, Space and Technology hearing on improving the supply chain’s cybersecurity. Ransomware attacks, like the recent one on the Colonial Pipeline, use malicious software to essentially gain a backdoor into an organization’s system, holding it hostage until a ransom is paid. In light of the proliferation of these attacks, and the more sophisticated hacks like SolarWinds, the hearing focused on the exposed vulnerabilities in the U.S. supply chain – from the design of a product to its manufacturing and distribution.
“Software supply chain hacks are not new,” pointed out Dr. Trey Herr, director at the Atlantic Council, but are “becoming more visible and more consequential by the day.” In the past decade, he noted during the hearing, more than 140 software supply chain attacks and disclosed vulnerabilities for such attacks have been revealed, with at least 30 “positively attributed to governments around the world.”
And with software “[spreading] to every corner of the human experience” from smartwatches connecting to the internet, to the operations of medical hardware and car’s brake pedals being controlled by embedded software, it is imperative the U.S. gets a hold on securing the software supply chains.”
“Security flaws” come alongside this software and its “long chain of updates from vendors and developers,” Herr charged. And the hackers take advantage of these flaws, breaking the trust between the software coders and the users.
And 60% of small businesses close their doors one year after being victims of a cyberattack, said Karen Painter Randall, an attorney at Connell Foley LLP, where she chairs the Cybersecurity, Data Privacy and Incident Response Group.
Unfortunately, Todt said, this is because small businesses don’t have the resources to handle the risk management and mitigation strategies for cybersecurity “prevention, resilience and readiness.” Their lack of vendor management awareness was one of the challenges she pointed to.
Small businesses are having to make “split-second decisions” to either pay the ransom to avoid disruption of operations or not pay and be replaced.
Even cyber liability insurance is “very challenging for small businesses,” Todt said, as the plans often do not fully cover a breach. Hackers also “troll” the insurance policies to target the ones with the biggest payouts. Recently, global insurance company AXA announced it would not reimburse its customers for extortion payments for ransomware attacks.
AXA itself was in the “tower that paid for the [CNA Financial] ransom payment,” Randall said, a late March ransom which was recently revealed to be in the amount of $40 million.
As these small businesses play key roles in the digital economy as well as the global supply chain, Todt pointed to three key factors of basic “cyber hygiene” they need to set in stone: a strong user authentication process like an obligatory Multi-Factor Authentication across all devices, ongoing software updates known as “patches” and ensuring there are “workable back-ups” that can be accessed immediately.
These steps would also create “a culture of cyber readiness and accountability” in the business, while simultaneously adding an extra layer of protection. Furthermore, among the five recommendations CRI sent to the administration, Todt highlighted the need for a “repository” of resources for small to midsize businesses.
Biden’s recent cybersecurity executive order mandates MFA to be adopted by all agencies within 180 days of the May 12 order.
In The News
BOSTON (AP) — If your business falls victim to ransomware and you want simple advice on whether to pay the criminals, don't expect much help from the U.S. government. The answer is apt to be: It depends. "It is the position of the U.S. government that... Read More
WASHINGTON -- A group of U.S. senators responded Thursday to recent ransomware attacks by introducing legislation to impose new tactics and harsh penalties on cyberattackers. They pinned much of the blame on Russia, despite denials a day earlier by Russian President Vladimir Putin. “The Russians do... Read More
WASHINGTON — The rise in profit-driven cyberattacks has prompted Senate Select Committee on Intelligence Chairman Mark Warner, D-Va., to contemplate a mandatory reporting bill so law enforcement can promptly take action on urgent threats. Warner told Axios recently that he anticipates broad support for such upcoming... Read More
WASHINGTON - As Congress edges closer to putting a final infrastructure bill on President Joe Biden’s desk, it looks like lawmakers and the White House are aligned in their commitment to bolster U.S. cybersecurity through increased federal investment, focusing on prevention and utilizing public-private partnerships to... Read More
Rep. John Katko, R-N.Y. recently went into a couple of Lincoln car dealerships in Syracuse, New York, but “neither one of them had any cars.” “And they’re not going to have any cars for several weeks because of the chip shortage,” Katko said during a "fireside... Read More
WASHINGTON -- Testimony at a congressional hearing Wednesday on last month’s Colonial Pipeline Co. ransomware attack demonstrated that a bigger role for the federal government is coming soon to protect private computer networks. The Georgia-based company’s chief executive officer admitted to internal failures in protecting the... Read More