Procurement to be leaders in US cyber security efforts
During a briefing on Friday, a senior administration official confirmed that The White House plans to issue an executive order in response to the SolarWinds attack where perpetrators leveraged cloud services to gain access into several federal agency networks.
The perps gained initial access into nine federal agencies and roughly a hundred companies using trojan infected software update and other techniques, such as password spraying. Exploiting a vulnerability in Microsoft’s Active Directory Federation Service, the attackers jumped to organisations’ cloud-hosted Office 365 accounts to then move laterally to other areas in the system.
The official spoke to the steps the government is taking in response to the attack in three parts.
Part one, finding and expelling the adversary
“First, finding and expelling the adversary. We’re in week three of a four-week remediation across the federal government. The compromised agencies all were tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure that we felt confident the adversary had been eradicated.
“Most of the agencies have completed that independent review. For those who have not yet, they will complete it by the end of March,” the official said.
Part two, “Building Back Better to Modernize Federal Defense.”
He then addressed the standardisation of methodologies being used for incident response. “As we talked about during a press event a number of weeks ago, we cannot defend a network if we can’t see a network. And in our review of what caused SolarWinds, we saw significant gaps in modernization and in technology of cybersecurity across the federal government.
“So we will be rolling out technology to address the specific gaps we identified, beginning with the nine compromised agencies. We want to make the federal government a leader, not a laggard, in cybersecurity. And we know we need to be able to defend against the adversaries who pursue the nation’s diplomatic, law enforcement, and health efforts.
“Those will be rolled out in the near term, beginning, as I said, with the nine compromised agencies and then more broadly across the federal government to ensure we have the visibility we need to have trust in our networks, that we can protect the important work the federal government does on behalf of the American people.”
The official then gave examples of rating systems and cybersecurity standards that may be developed for software and connected devices, including things such as baby monitors that are connected to the IoT. Both are expected to be covered in an executive order coming “in the next couple of weeks — or in the next few weeks.”
Part three, responding to perpetrators
“And then, finally, the third part of what we’re doing about it is responding to the perpetrators of the attack. You can expect further announcements on that in weeks, not months.” The official said. He then went on to explain what happened in the attack and highlighted the impact and significance, both in terms of data sets and ransomware.
Back to the key question of what are we doing about the Microsoft Exchange work? We have been working incredibly hard across government and the private sector, across all elements of the U.S. government.
“First, we’re leaning forward to alert Americans and convey the seriousness. The National Security Advisor tweeted early and more than once, signaling how important this is. I think this is the first-ever National Security Advisor to tweet on a cybersecurity incident. And tweeting also that insecure software is a threat to national economic security.”
Although there were weaknesses in the creation of the software, lack of domestic visibility was noted as a key issue. “The U.S. government largely does not have visibility into U.S. infrastructure. And many of these actors operate out of U.S. infrastructure.”
“We believe the model for the U.S. government in addressing cybersecurity issues involves working closely with the private sector. We’re not looking at additional authorities for any government agencies to do additional monitoring within the U.S. at this time. We are focused on tightening the partnership between the U.S. government and the private sector, For the first time, we’ve invited private-sector companies to participate in the Unified Coordination Group because we still believe that public-private partnership is foundational in cybersecurity, and we want to ensure we’re taking every opportunity to include key private sector participants early and directly in our remediation efforts.”
And finally, the official spoke to leveraging procurement as a leader, “Beginning with the compromised agencies, as well as addressing, in the upcoming executive action, some of the foundational areas that we think will help the federal government use procurement to be a leader in this space, and, really, in meeting in this space, address both private-sector and government challenges in finding, buying, and using innovative, usable, and secure software and hardware — and systems, to your point.”
AICPA: The State of Risk Management
In the fall of 2020, the American Institute of Certified Public Accountants (AICPA)surveyed 420 members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions representing different sizes and types of organisations— resulting in The 2021 State of Risk Oversight report.
Let’s review its key findings.
First, to ensure a clear understanding of our starting point, let’s review the drivers.
The report states that “risk volumes and complexities are at their highest level in 12 years, increased by significant events tied to COVID-19, social unrest, national elections, extremely low-interest rates, and a host of other risk triggers – no type of organization is immune”.
The supply chain disruptions brought on by the global pandemic changed the nature of top risks, with core operations having been significantly impacted by risk events, highlighting the need for improved risk management and continuity of business plans.
Organisations are also facing further pressures from stakeholders to provide more information on risk and mitigation strategies.
Despite the well-accepted need to better prepare for the unforeseen, only 30% of respondents report they are “mostly satisfied” or “very satisfied” with their organization’s Key Risk Indicators (KRIs).
From JIT to JIC— When in Doubt, Stock
It’s been said that a companies shortcomings can be seen in its safety stocks. Safety stocks or increased inventory levels have their time and place and are a legitimate mitigation tactic. However, companies are often quick to jump from JIT to JIC in place of evaluated, strategic decision making where trade-offs are consciously made based on organisational objectives and values.
Although there is a growing trend towards increasing safety stocks and buffering supply chains, the report states that the majority of organisations have not taken the extra step of aggregating risk information to an enterprise-level inventory of top risks. Organisations continue to struggle in integrating a more formal risk management approach and implement strategic action plans.
Financial services aside, most companies are not considering risk exposure when evaluating possible strategic initiatives or making capital allocations. i.e., risk is not even considered when making some of the business’s most important decisions.
Critically for Procurement, who are often in the position of having to make those critical tradeoffs, most organisations do not formally articulate tolerances for risk-taking as part of their strategic planning activities.
The report also highlights that there is considerable room for improvement when it comes to mitigating reputation and brand risk.
ERM— We’ve come some of the way, baby…
- • While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.”
- • Public companies and financial services organisations exhibit the biggest move towards ERM in 2020.
- • With the exception of non-profit organizations, most types of organisations believe their risk management oversight is more robust or mature than any of the prior four years. But we aren’t quite there yet...
- • Fewer than half of respondents describe their organisation’s approach to risk management as “mature” or “robust.”
The Impact Culture on Risk
Some organisations believe other priorities stand in the way of more advanced risk management and that risk is managed in more informal ways, impeding the move to ERM.
The report also indicates that most organisations fail to provide training or guidance on risk management. This can potentially lead to a lack of understanding of the imperativeness of proactive risk management efforts and their ability to improve a companies performance.
Furthermore, risk management is not incentivised, with few organisations embedding risk management incentives into performance compensation arrangements.
There seems to be a misalignment between a companies tolerance for risk and its risk management actions. Despite the majority of organisations describing their risk culture as “strongly risk-averse” to “risk-averse”, only a minority of respondents describe their risk management processes as “mature” or “robust.”
So, it would seem, organisations are aware of the heightened need for risk management, consider themselves to be “risk-averse”, even perhaps strongly so, yet have immature risk management processes and a culture that impedes progress.
The question remains, what, if anything, will companies do about it?
For a detailed analysis that provides helpful perspective and benchmarking on risk management, download the 2021 State of Risk Oversight report.