Following the SolarWinds Corp. breach that allowed hackers to infiltrate the systems of U.S. agencies, experts weighed in on how such vulnerabilities could be mitigated in the future.
During a panel on cybersecurity policy at State of the Net 2021, an internet policy conference, cybersecurity experts listed a number of changes that could better position the government to prevent such an attack in the future.
Tatyana Bolton, policy director for the cybersecurity and emerging threats team at R Street Institute, a free market policy think tank, suggested the government establish a bureau of cyber statistics. The bureau could provide information to critical infrastructure facilities and policymakers.
As part of his sweeping $1.9 trillion COVID-19 rescue package proposal, President Joe Biden proposed setting aside billions of dollars to bolster U.S. cybersecurity. Specifically, Biden's American Rescue Plan calls for a $9 billion investment to help the U.S. launch major new IT and cybersecurity shared services at the Cyber Security and Information Security Agency and the General Services Administration. The investment would also go toward helping complete modernization projects at federal agencies.
Biden's plan states that the money would help "remediate the SolarWinds breach and boost U.S. defenses, including of the COVID-19 vaccine process."
Robert Mayer — cybersecurity and innovation senior vice president at USTelecom, which represents the nation's broadband industry, including members such as AT&T Inc. and Verizon Communications Inc. — said industry needs to strengthen partnerships with government.
Mayer noted that this desire is being reflected in the real world.
"Immediately after SolarWinds, the [Federal Communications Commission] reached out to the communications sector coordinating council, the major associations, some of the largest companies, some of the largest ISPs and said, 'Look, we want you to come in, we want to understand exactly how you've been impacted by this, what efforts you have taken to protect and detect the activity, respond and recover,'" he said. "And that has gone forward, and there's this real sharing of important information in a safe and contained environment," added Mayer.
Kemba Walden, digital security unit attorney at Microsoft Corp., also urged closer collaboration between the public and private sectors going forward.
"The private sector actually has more access to signals, intelligence, in a lot of ways, than the government does," she said. "The government has more authority to do things with that intelligence than the private sector does. So there really needs to be a cooperative, collaborative, actionable relationship between the two in order to be able to address something like software supply chain security," she said.
As many as 18,000 of SolarWinds' customers were exposed to a software vulnerability in its Orion products that allowed hackers to breach the systems of U.S. agencies such as the Justice Department and companies including Microsoft.