Former Presidential Adviser Advocates Tougher Software Vendor Standards After Breach Evan Lorne/Shutterstock.com
email December 23, 2020
The environment where updates for the company’s software were developed was reportedly protected by a password anyone could guess.
In the wake of the SolarWinds hack, a former presidential adviser was emphatic about the government’s need to require more from providers of software and cloud services.
Researchers agree about the level of sophistication the perpetrators of the hacking campaign have employed in order to pull off the level of access they now have to sensitive systems and communications. But newsreports have also suggested the attackers were able to take advantage of weak cybersecurity practices at SolarWinds, the software company which distributed the malware-laced update to its broad customer base. The update server’s password was “solarwinds123,” a security researcher told
[co-author: Tawanna Lee]
On December 17, 2020, the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force (“the Task Force”) a public-private partnership whose membership includes industry representatives from the IT and Communications sectors, as well as federal government representatives released its Year Two Report (“Report”). This work takes on increased importance as the federal government and private sector grapple with software supply chain challenges in the unfolding SolarWinds incident.
The Report builds on prior Task Force efforts and summarizes the work of the five working groups to address challenges to information sharing, threat analysis, qualified bidder and manufacturer lists, vendor assurance, and impacts of the COVID-19 pandemic on ICT supply chains. It identifies areas for continued Task Force work to support SCRM efforts across government and industry. As various federal efforts focused on securing the ICT supply c
To embed, copy and paste the code into your website or blog:
On December 10, 2020, the Federal Communication Commission (FCC or Commission) unanimously approved a Second Report and Order on supply chain security (Second R&O), which is the latest effort in its evolving role with national security issues.[1] The FCC characterized the item as “another major step towards securing our communications networks by adopting rules to implement the Secure and Trusted Communications Networks Act of 2019.”
Among other things, the Second R&O:
establishes the procedures and criteria for publishing a list of covered communications equipment and services that pose an unacceptable risk to national security;
Over several years, we have reported that the growing dependence on a globally distributed supply chain and the lack of control over and visibility into how ICT products and services are developed, integrated, and deployed presents an increasing amount of risk to federal agencies, the report warned.
It identified ICT supply chain risks, including the introduction of counterfeit products and the compromise of legitimate ones before delivery. Threat actors attack all tiers of the supply chain and at each phase of the system development life cycle and, thus, pose significant risk to federal agencies, it continued.
Auditors examined how agencies implemented seven foundational supply chain risk management (SCRM) practices, including executive oversight, creating an agency-wide strategy, and creating SCRM requirements for suppliers.
GAO Issues ‘Wake-Up Call’ Report on Agencies’ Lax Supply Chain Security Management bookzv/Shutterstock.com
email December 16, 2020
The bottom line is that none of the 23 agencies audited fully implemented foundational risk management practices.
Days after news that sophisticated hackers exploited a flaw in the SolarWinds Orion software to breach a major security company and victimized several federal agencies, the Government Accountability Office made public a major audit showing federal civilian agencies are failing to manage risks in the information and communication technologies supply chain.
Though GAO finished its audit several months ago, the timing of the release of the public version which GAO shared Tuesday underscored the audit’s significance: ICT supply chains are targets for adversaries, and without implementing “foundational” supply chain risk management, or SCRM, practices, agencies risk exploitation.