As head of the Cisco Trust Office, Matt Fussa leads a global team that partners with government agencies, regulators, and customers to help shape cybersecurity regulation and manage cyber risk. He is one of Cisco’s representatives in the Network Resilience Coalition, an industry alliance focused on seeking solutions to cybersecurity threats to our global economic and national security, particularly attacks that exploit gaps in software maintenance in critical infrastructure.
I recently participated in the Network Resilience Coalition (NRC) event, where it launched its “Protecting Network Resiliency” white paper highlighting recommendations to improve the overall security of networks, especially those containing outdated and unpatched infrastructure.
The event provided a valuable platform for discussing key themes from the paper, including how to address the full security lifecycle — from sourcing, development, deployment, maintenance, through end-of-life, as well as participating in the OASIS Open EoX working group to develop standards for end-of-life and end-of-support information. It also provided the opportunity for candid dialog about the complexity of securing networks and critical infrastructure while building a foundation of trust and understanding among technology vendors, network operators, and government leaders.
I was pleased to see active engagement from a wide range of voices and perspectives on the topic of addressing global cybersecurity threats, including Ari Schwartz from research partner Venable LLP, Eric Goldstein of CISA, Nicholas Leiserson of the White House, ONCD, and industry peers, Kathryn Condello of Lumen, and Dr. Carl Windsor from Fortinet.
Key areas of agreement included viewing network resilience through the lens of national security and accelerating efforts to better protect critical infrastructure, by assigning responsibility:
- Vendors need to produce more secure products by default and make it easier for customers to patch
- Customers need to invest resources to maintain and secure their networks adequately
- Vendors need to ensure adequate investment, resources, and attention are dedicated to the foundational networks that support new innovations they seek to deploy
- Government should ensure incentives are aligned to those organizations who are at greatest risk
Network Resilience Viewed through the Lens of National Security
While network resilience has garnered greater interest among cybersecurity experts and network practitioners whose outdated infrastructure is being targeted, the topic has recently been thrust into the public dialog regarding threats to national security.
Recent Congressional testimony and news reports about attackers based in China and other nation-state actors targeting critical infrastructure and core intellectual property place the need for network resilience into stark view. The timing of this news reporting and testimony was particularly relevant, as these themes were actively discussed during the NRC event and afterward in press interviews.
Eric Goldstein, executive assistant director for cybersecurity at CISA, shared that dealing with end-of-life and end-of-support products was becoming one of cybersecurity’s most challenging and prevalent structural issues. “The U.S. government is only not immune from this challenge we are one of the biggest victims.”
My personal view is that we should view these recent incidents as an immediate call to action to start this essential discussion now and transition to action as quickly as possible. Recent testimony before the U.S. House of Representatives by senior government cybersecurity leaders highlighted the efforts of sophisticated threat actors like Volt Typhoon, who can use unpatched known vulnerabilities, often in end-of-life products, to gain access to unsupported hardware and establish a persistent presence in target networks that create significant risks to critical infrastructure. Our national security depends on improving network resilience with a sense of urgency and working together to implement real solutions. There is no single “silver bullet.” Improvements can only happen through tangible efforts to enhance the quality and security of software combined with effective security operations and network management.
Accelerating Efforts to Protect Critical Infrastructure
While many of the threats discussed in recent news coverage were from a U.S. viewpoint, sophisticated cyberattacks from nation-state threat actors are a global concern and require accelerating efforts to protect critical infrastructure. The National Cyber Security Center (NCSC) also recently issued a warning about state-sponsored cyber attackers exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.
To help address these escalating threat risks, the NRC discussed the following strategies: 1) public-private/partnerships, 2) targeted regulatory standards, and 3) using technologies to automate risk management:
Private/Public Partnerships
The scale and complexity of these cyber threats require an active partnership with governments, regulators, customers, and security vendors to share threat information and collaborate on security solutions. This includes actively participating in forums such as the NRC and using them as an opportunity to engage and influence the public dialog around national cybersecurity risks.
In a follow-up interview, CISA’s Eric Goldstein shared his viewpoint regarding this partnership: “The federal government will need to collaborate with vendors to create strategies that can “reduce the risk posed by end-of-life and end-of-support products.”
“The government will also need to work with the private sector on identifying funding sources to help “target rich, resource-poor” organizations in healthcare, water, and K-12 education. These funding sources could come in the form of grants, discounts, and subsidies from both the government and the private sector,” and emphasized the need to “think creatively.”
Regulation/Compliance/Standards
To accelerate our ability to mitigate cyber risks, we must align development processes to industry best practices, such as relying on the National Institute of Standards and Technology’s Secure Software Development Framework as a resource and implementing Secure by Design principles to manage risk.
We also need to continue partnering globally with legislators and policymakers on comprehensive regulations such as the EU Cyber Resilience Act (CRA) to find the right balance of compliance, transparency, and risk management to protect vital critical infrastructure. Industry has an essential role to play in helping to inform emerging standards so that our compliance investments generate security outcomes.
Automating Risk Management
Artificial Intelligence (AI) and Machine Learning (ML) provide an excellent opportunity for automating risk management when coupled with existing security technologies and will be an essential part of our cybersecurity future. One of the opportunities discussed during the event was using new standardized machine-readable language (e.g., OpenEoX) to specify the end-of-life conditions to drive the right operational security actions to protect the network. In a press briefing at the NRC event, several of the presenters provided their viewpoints on the topic:
Ari Schwartz, managing director at Venable, stated that automation can be helpful in the identification of what’s on the network as networks become more complex; in addition, automating the patching and tagging of the vulnerabilities can extend to when products go out of life.
Kathryn Condello, senior director of national security and emergency preparedness at Lumen Technologies, echoed her perspective that automation plays into every single portion of the lifecycle of managing the security risks of end-of-life networking products.
Eric Wenger, from Cisco global government affairs, also noted that automation itself will evolve as we deepen our understanding of how to cooperatively engage in network security. “Initially, automation will enable identification of devices on the networks, boosting our ability to assess and communicate the security posture of those devices and driving the application of limited resources to the areas of greatest risk. Our end goal is to automate risk mitigation.”
The NRC and its partnerships with government and cybersecurity agencies have underscored the need for radical transparency among these key industry stakeholders. We must continue accelerating our efforts to share information and collectively identify near-term, actionable solutions to overcome cyberattacks that have dramatically increased in sophistication and potentially threaten national security interests.
Network Resilience Resources
- Network Resilience Coalition: White Paper
- Cisco Trust Center: Network Resilience
- It Is Time to Harden Our Global Infrastructure
- The Time Is Now for Organizations to Address Their Aging Infrastructure
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
