In previous posts (here and here), we discussed the Executive Order of 12 May and the CSIS event on it. The guest was Anne Neuberger, Deputy National Security Advisor for Cyber and New Technologies.
The experts were generally supportive of what was said. Some of their main thoughts:
- On the one hand, the US government is turning slowly as a huge ship. But on the other hand, even a small course correction can have a huge impact. This could include, for example, a restructuring of the federal procurement system, the impact of which will hopefully spread to private sector procurement over time.
- Many of the requirements to increase cybersecurity are already in place and should be adhered to.
- How will these ambitious plans be funded?
- Federal organisations need to be set up and staffed to monitor the implementation of the measures.
In particular, William Hugh Murray of the SANS Institute (Escal Institute of Advanced Technologies), a consultant and training expert, suggests that ‘secure software’ and ‘supply chain’ are related but separate issues.
There is no reason to believe that SolarWinds did not test Orion’s code and consider it unsafe.
n fact, they did not even know that they were distributing code that they did not know existed. That is the real problem.
What about us? Do you think we could have a case like this?
Or more generally:
How do you consider the guarantees and controls on the security of software, including its updates, in our country (especially ICS software)?
We welcome your comments, whether you agree or disagree with the above. These could be the subject of a further post, for example, in response to which a substantive exchange of views could be initiated.