US Supply Chain Cyberdefense Approach Needs to Assist Small Businesses
The U.S. witnessed an “uptick” in ransomware attacks during the pandemic, particularly small businesses. And if those small businesses were offline even a couple of days, “the impact on their supply chain was so significant” that manufacturers turned to other small businesses to replace those affected, said Kiersten Todt, managing director of the Cyber Readiness Institute Tuesday.
“When we lose small businesses, we lose key components of our global supply chains,” Todt charged during yesterday’s U.S. Chamber of Commerce Cyber Conference.
As Congress, the Biden administration and federal agencies grapple with modernizing their systems, deciding on cybersecurity standards, setting up incident prevention and response plans, preparing and revamping the cybersecurity workforce, and everything else that needs to be done to get ahead of adversaries and cybercriminals, Todt restated the importance of helping small businesses meet the challenges.
Todt’s comments came prior to the House Committee on Science, Space and Technology hearing on improving the supply chain’s cybersecurity. Ransomware attacks, like the recent one on the Colonial Pipeline, use malicious software to essentially gain a backdoor into an organization’s system, holding it hostage until a ransom is paid. In light of the proliferation of these attacks, and the more sophisticated hacks like SolarWinds, the hearing focused on the exposed vulnerabilities in the U.S. supply chain – from the design of a product to its manufacturing and distribution.
“Software supply chain hacks are not new,” pointed out Dr. Trey Herr, director at the Atlantic Council, but are “becoming more visible and more consequential by the day.” In the past decade, he noted during the hearing, more than 140 software supply chain attacks and disclosed vulnerabilities for such attacks have been revealed, with at least 30 “positively attributed to governments around the world.”
And with software “[spreading] to every corner of the human experience” from smartwatches connecting to the internet, to the operations of medical hardware and car’s brake pedals being controlled by embedded software, it is imperative the U.S. gets a hold on securing the software supply chains.”
“Security flaws” come alongside this software and its “long chain of updates from vendors and developers,” Herr charged. And the hackers take advantage of these flaws, breaking the trust between the software coders and the users.
And 60% of small businesses close their doors one year after being victims of a cyberattack, said Karen Painter Randall, an attorney at Connell Foley LLP, where she chairs the Cybersecurity, Data Privacy and Incident Response Group.
Unfortunately, Todt said, this is because small businesses don’t have the resources to handle the risk management and mitigation strategies for cybersecurity “prevention, resilience and readiness.” Their lack of vendor management awareness was one of the challenges she pointed to.
Small businesses are having to make “split-second decisions” to either pay the ransom to avoid disruption of operations or not pay and be replaced.
Even cyber liability insurance is “very challenging for small businesses,” Todt said, as the plans often do not fully cover a breach. Hackers also “troll” the insurance policies to target the ones with the biggest payouts. Recently, global insurance company AXA announced it would not reimburse its customers for extortion payments for ransomware attacks.
AXA itself was in the “tower that paid for the [CNA Financial] ransom payment,” Randall said, a late March ransom which was recently revealed to be in the amount of $40 million.
As these small businesses play key roles in the digital economy as well as the global supply chain, Todt pointed to three key factors of basic “cyber hygiene” they need to set in stone: a strong user authentication process like an obligatory Multi-Factor Authentication across all devices, ongoing software updates known as “patches” and ensuring there are “workable back-ups” that can be accessed immediately.
These steps would also create “a culture of cyber readiness and accountability” in the business, while simultaneously adding an extra layer of protection. Furthermore, among the five recommendations CRI sent to the administration, Todt highlighted the need for a “repository” of resources for small to midsize businesses.
Biden’s recent cybersecurity executive order mandates MFA to be adopted by all agencies within 180 days of the May 12 order.
In The News
WASHINGTON -- A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront... Read More
WASHINGTON -- A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront the kinds of cyberattacks that have wreaked havoc on U.S. computer networks in recent years. He testified to a House Homeland Security subcommittee as it considers... Read More
WASHINGTON — The Federal Bureau of Investigation distributed a Flash report on Friday warning of indicators of compromise from the... Read More
WASHINGTON — The Federal Bureau of Investigation distributed a Flash report on Friday warning of indicators of compromise from the Hive ransomware known to have infiltrated business networks. The ransomware utilizes multiple mechanisms as attachments to gain access and “Remote Desktop Protocol” to operate once embedded,... Read More
U.S. Census Bureau computer servers were exploited last year during a cybersecurity attack, but it didn't involve the 2020 census,... Read More
U.S. Census Bureau computer servers were exploited last year during a cybersecurity attack, but it didn't involve the 2020 census, and hackers' attempts to keep access to the system were unsuccessful, according to a watchdog report released Wednesday. The attack took place in January 2020 on... Read More
WASHINGTON -- Congress took a stab Thursday at improving the nation’s cybersecurity as the federal government mobilizes more resources against... Read More
WASHINGTON -- Congress took a stab Thursday at improving the nation’s cybersecurity as the federal government mobilizes more resources against ransomware and hackers. Both President Joe Biden and members of a House Homeland Security subcommittee described threats to U.S. computer systems as a potentially devastating economic... Read More
RICHMOND, Va. (AP) — As a member of the secretive Senate Intelligence Committee, Sen. Angus King has reason to worry... Read More
RICHMOND, Va. (AP) — As a member of the secretive Senate Intelligence Committee, Sen. Angus King has reason to worry about hackers. At a briefing by security staff this year, he said he got some advice on how to help keep his cellphone secure. Step One:... Read More
WASHINGTON -- As the international blame game over ransomware heats up this week, the U.S. government is scrambling for solutions... Read More
WASHINGTON -- As the international blame game over ransomware heats up this week, the U.S. government is scrambling for solutions with increasingly combative strategies. Legislation that won tentative approval in Congress on Monday anticipates a bigger role for the U.S. government in overseeing cybersecurity of critical... Read More