US Supply Chain Cyberdefense Approach Needs to Assist Small Businesses
The U.S. witnessed an “uptick” in ransomware attacks during the pandemic, particularly small businesses. And if those small businesses were offline even a couple of days, “the impact on their supply chain was so significant” that manufacturers turned to other small businesses to replace those affected, said Kiersten Todt, managing director of the Cyber Readiness Institute Tuesday.
“When we lose small businesses, we lose key components of our global supply chains,” Todt charged during yesterday’s U.S. Chamber of Commerce Cyber Conference.
As Congress, the Biden administration and federal agencies grapple with modernizing their systems, deciding on cybersecurity standards, setting up incident prevention and response plans, preparing and revamping the cybersecurity workforce, and everything else that needs to be done to get ahead of adversaries and cybercriminals, Todt restated the importance of helping small businesses meet the challenges.
Todt’s comments came prior to the House Committee on Science, Space and Technology hearing on improving the supply chain’s cybersecurity. Ransomware attacks, like the recent one on the Colonial Pipeline, use malicious software to essentially gain a backdoor into an organization’s system, holding it hostage until a ransom is paid. In light of the proliferation of these attacks, and the more sophisticated hacks like SolarWinds, the hearing focused on the exposed vulnerabilities in the U.S. supply chain – from the design of a product to its manufacturing and distribution.
“Software supply chain hacks are not new,” pointed out Dr. Trey Herr, director at the Atlantic Council, but are “becoming more visible and more consequential by the day.” In the past decade, he noted during the hearing, more than 140 software supply chain attacks and disclosed vulnerabilities for such attacks have been revealed, with at least 30 “positively attributed to governments around the world.”
And with software “[spreading] to every corner of the human experience” from smartwatches connecting to the internet, to the operations of medical hardware and car’s brake pedals being controlled by embedded software, it is imperative the U.S. gets a hold on securing the software supply chains.”
“Security flaws” come alongside this software and its “long chain of updates from vendors and developers,” Herr charged. And the hackers take advantage of these flaws, breaking the trust between the software coders and the users.
And 60% of small businesses close their doors one year after being victims of a cyberattack, said Karen Painter Randall, an attorney at Connell Foley LLP, where she chairs the Cybersecurity, Data Privacy and Incident Response Group.
Unfortunately, Todt said, this is because small businesses don’t have the resources to handle the risk management and mitigation strategies for cybersecurity “prevention, resilience and readiness.” Their lack of vendor management awareness was one of the challenges she pointed to.
Small businesses are having to make “split-second decisions” to either pay the ransom to avoid disruption of operations or not pay and be replaced.
Even cyber liability insurance is “very challenging for small businesses,” Todt said, as the plans often do not fully cover a breach. Hackers also “troll” the insurance policies to target the ones with the biggest payouts. Recently, global insurance company AXA announced it would not reimburse its customers for extortion payments for ransomware attacks.
AXA itself was in the “tower that paid for the [CNA Financial] ransom payment,” Randall said, a late March ransom which was recently revealed to be in the amount of $40 million.
As these small businesses play key roles in the digital economy as well as the global supply chain, Todt pointed to three key factors of basic “cyber hygiene” they need to set in stone: a strong user authentication process like an obligatory Multi-Factor Authentication across all devices, ongoing software updates known as “patches” and ensuring there are “workable back-ups” that can be accessed immediately.
These steps would also create “a culture of cyber readiness and accountability” in the business, while simultaneously adding an extra layer of protection. Furthermore, among the five recommendations CRI sent to the administration, Todt highlighted the need for a “repository” of resources for small to midsize businesses.
Biden’s recent cybersecurity executive order mandates MFA to be adopted by all agencies within 180 days of the May 12 order.
In The News
WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing... Read More
WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing emails, more than 85% of cyberattacks would be prevented, said Sen. Angus King, I-Maine, Thursday. “The best hack is the one that doesn’t happen,” King said... Read More
North American governments should come together to create a trilateral strategy to assess and address threats in a holistic risk-based... Read More
North American governments should come together to create a trilateral strategy to assess and address threats in a holistic risk-based approach to cybersecurity that includes a minimum set of standards, said three experts yesterday. As much as the pandemic has accelerated the rate in which governments... Read More
WASHINGTON -- The Cybersecurity Infrastructure and Security Agency has met President Biden’s cybersecurity executive order’s “highly aggressive deadlines so far,”... Read More
WASHINGTON -- The Cybersecurity Infrastructure and Security Agency has met President Biden’s cybersecurity executive order’s “highly aggressive deadlines so far,” but there is “still a lot of work to do,” said CISA Director Jen Easterly Wednesday. Kicking off the 6th annual Aspen Cyber Summit, Exploring Collective... Read More
WASHINGTON -- Identity authentication is taking a front-and-center role in the administration's approach to ensuring robust cybersecurity across the U.S.... Read More
WASHINGTON -- Identity authentication is taking a front-and-center role in the administration's approach to ensuring robust cybersecurity across the U.S. government, according to Carole House, director of cybersecurity and secure digital Innovation at the White House National Security Council. It “sits at the heart of zero... Read More
WASHINGTON -- A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront... Read More
WASHINGTON -- A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront the kinds of cyberattacks that have wreaked havoc on U.S. computer networks in recent years. He testified to a House Homeland Security subcommittee as it considers... Read More
WASHINGTON — The Federal Bureau of Investigation distributed a Flash report on Friday warning of indicators of compromise from the... Read More
WASHINGTON — The Federal Bureau of Investigation distributed a Flash report on Friday warning of indicators of compromise from the Hive ransomware known to have infiltrated business networks. The ransomware utilizes multiple mechanisms as attachments to gain access and “Remote Desktop Protocol” to operate once embedded,... Read More