The war in Ukraine demonstrates that modern warfare is not just wielded on the battlefield. The war started with attacks on Ukrainian websites and computers, and it continues with Ukraine’s supporters attacking Russian targets. On May 12, 2021, President Biden issued an executive order to improve cybersecurity for the federal government. However, when it comes to the private sector, all Biden administration initiatives are voluntary and depend on the goodwill of private companies.
Unfortunately, this is not sufficient. While there are no methods that can completely safeguard networks and systems against cyberattacks, to increase the odds that our country will not be paralyzed, regulations that will enforce cybersecurity principles on products and infrastructure are necessary.
The executive order was an excellent first step in the right direction. It required the National Institute of Standards and Technology (NIST), in collaboration with industry and other partners, to develop a new framework to improve the security and integrity of the technology supply chain. As a direct response, in February 2022, NIST published Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products and Recommended Criteria for Cybersecurity Labeling of Consumer Software. The publications recommended cybersecurity labeling for consumer software and consumer internet connected devices that will give the public a clear indication of whether a device or software meets cybersecurity criteria.
One of NIST’s tasks is to “consider ways to incentivize manufacturers and developers to participate in these programs.” In other words, there is currently no intent to force vendors, big or small, to label their products. Similarly, the Cybersecurity and Infrastructure Agency (CISA) offers recommendations and tools for companies to maintain cybersecurity hygiene, but it has no enforcement capabilities.
The guidelines outlined by CISA and by NIST are not surprising or onerous; rather, they build upon existing frameworks and incorporate lessons learned from cyberattacks. Following these standards would have prevented some of the most massive cyberattacks known to date. But they also require investment in better IT practices, additional software and, oftentimes, new hardware development.
To ensure companies invest in better cybersecurity, the U.S. must require all companies to go through a yearly audit to certify their IT infrastructure and obtain a cybersecurity label for their products. Companies that do not meet the certification criteria ought to face financial penalties. At the same time, the U.S. government should embark on a campaign to educate the public on the security labeling, so the public avoids purchasing products that lack a cybersecurity label and, therefore, have not met the criteria.
The ransomware attack on the Colonial Pipeline in 2021, which caused power outages across the East Coast, demonstrates the importance of following the guidelines. According to Bloomberg, a hacker got hold of a password to a single VPN account and through that account was able to take down the largest fuel pipeline in the U.S. This attack could have been prevented if access to the VPN required multi-factor authentication, which adds an additional layer of identification on top of the password (as recommended by the currently voluntary CISA guidelines).
Comentários