BACKGROUND:
The New York Times is reporting this morning: Russia Challenges Biden Again With Broad Cybersurveillance Operation. Of note in that reporting was that after Administration officials confirmed the attacks were ongoing, they laid the blame for any attack success at the feet of the private sector, saying “We can do a lot of things, but the responsibility to implement simple cybersecurity practices to lock their — and by extension, our — digital doors rests with the private sector.”
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Russia’s broken promises should come as no surprise. Adversarial countries continue to make empty promises, all while funding offensive operations around the globe. With this, there has been an exponential increase of attacks attempted by nations and their state-sponsored counterparts over the last year. It has become abundantly clear there are alternative methods to traditional warfare to destabilize economies and administrations alike.</p>
<p>The U.S. attempts to remedy deficiencies within the Defense Industrial Base(DIB) by enforcing new or increased forms of compliance, namely, the Cybersecurity Maturity Model Certification(CMMC). The CMMC no longer allows organizations to operate as part of the DIB with glaring vulnerabilities masked with the promise of getting fixed. You will need to become certified and maintain the required level of security or cease your operations with the government.</p>
<p>While this covers a large swath of organizations, it leaves the question of those with no direct relationship with the government. The private sector vulnerability will start to be corrected by the increased use of vendor risk management and basic security requirements required baked into contractual agreements between organizations. Few can afford to have a security breach occur within their organization or any organization they do business with. The increased pressure in the private sector between partners will drive a simple choice; comply with the required security baseline or experience client churn and the loss of future clients.</p>
<p>Not content with resting on its laurels in the wake of the largely successful SolarWinds attack, Russian state actors have been pursuing further attacks on US tech companies, as well as government agencies and think tanks. While relatively few of these attacks have succeeded, even one success is too many.</p>
<p>Every organization, no matter what their purpose, has to do a better job of protecting their assets. You can’t rely on “security by obfuscation” or security by cloud providers if you’re serious about keeping attackers out. A program of data collection and analytics, coupled with real time risk assessment is the only way to protect yourself against threats.</p>