The CEO of SolarWinds was joined by FireEye chief executive Kevin Mandia, Microsoft President Brad Smith, and CrowdStrike chief executive and president George Kurtz to speak to the Senate Intelligence Committee during the first public congressional hearing on the SolarWinds hack. Many important topics are currently being discussed, including calling for deeper partnerships between the private and public sectors.
<p>During today’s hearing, we heard several cybersecurity leaders describe the post-SolarWinds world. What did we learn? I want to flag three concepts: the importance of public-private cyberdefense cooperation; the need for a strategic shift in methods of cybersecurity planning; and the need for visibility into U.S. government agencies and private companies\’ cyberdefense effectiveness. All three issues are central to the future evolution of our cybersecurity posture. </p> <p> </p> <p>First, on the basis of recent comments from the White House and the testimonies today, we should expect an increased focus on expanding public-private cooperation to counter cyberattacks and manage national cybersecurity contingencies like SolarWinds. There is strong Congressional support to do so. Following recommendations from the U.S. Cybersecurity Solarium Commission report, the 2021 NDAA includes a provision for a joint public-private cyberdefense planning forum. Such a planning organization could go a long way towards increasing the voluntary, combined cyberdefense operations required to help block and disrupt attacks on the nation. With appropriate investment by the government and private companies, it could help the country significantly. </p> <p> </p> <p>Second, SolarWinds reveals the need for a strategic shift in cybersecurity planning. We have long known that advanced persistent threats have the time, financial resources, and personnel to find ways to break past our front-line defenses. It is not a question of if but when an advanced persistent threat will break past a perimeter defense. Organizations need to assume breach, invest in best-in-class defense capabilities (to include zero trust), and then test, measure, and validate their post-breach defenses. This three-pronged strategic approach can be used as a repeatable process for U.S. federal agencies to improve their resilience to cyberattacks. </p> <p> </p> <p>This leads us to a third and final point. We’ve heard leaders speak of the need for better visibility into the nation’s cyberdefense. What does that mean? We need to be able to see what attackers are doing and, more importantly, see how well our defenses perform against known threats. This goes beyond information sharing and into automated assessments of cybersecurity effectiveness. How so? In the wake of SolarWinds, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) used the <a href=\"https://nam04.safelinks.protection.outlook.com/?url=httpsattack.mitre.org&data=0401msimank10fold.com69f8335d10c34dd0750d08d8d83fe5d30fad3c695d4a4864938d45533ad8ef2f00637497116255583984UnknownTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn01000&sdata=vkunPQTT5AurmdFKG8Qy03Ej7NqTJgOGkcxHfz74Fk&reserved=0\">MITRE ATT&CK</a> framework to describe the SolarWinds intruder’s behavior. A publicly available framework, ATT&CK provides an inventory for adversary tactics, techniques, and procedures that any organization can adopt. It is a path for visibility. By testing cyberdefense capabilities against known threat behaviors, organizations can measure their cyberdefense effectiveness, gain visibility into their performance, and then make improvements in their security posture. </p> <p> </p> <p>Today’s discussion was deeply informative. Following last week’s statements from the White House and today’s discussion on the Hill, I fully expect the Biden administration and Congress to drive meaningful, measurable improvements in the United States’ cybersecurity posture. We have the leadership, the knowledge, and a strategy for moving forward. </p>