Trust, but Verify: Avoiding Cybersecurity Blind Spots

Nationally, there has been a continuous stream of cybersecurity breaches, such as ransomware installation, theft of intellectual property and personal information, and damages to critical infrastructure. Most of these incidents result from the supply chain lacking basic cybersecurity risk mitigation measures. The situation is like the situation at the end of the 19th century when a new technology (electricity) was implemented nationally. The method to resolve the risk then focused on eliminating safety blind spots and ensuring that those who installed and maintained the new systems did it correctly.

When I was a young man, my parents owned apartment buildings, and my family spent many weekends maintaining them. My father, who had been doing this since he was a boy, knew all the skills required and gained all the appropriate certifications to do things properly and “to code.” Often when our work was completed, a building inspector needed to inspect the apartment before renting it again. For over a century, we’ve had third-party verification of electrical, fire, and building codes, and we expect inspectors will evaluate before we can call a project complete. The concept of third-party verification for risk mitigation is well established. It works well because it is minimal, flexible, consistent, and enforced. It helps ensure systems are properly secured and identifies blind spots. This is what cybersecurity needs.

Supply chain cybersecurity risk with small and medium businesses

Small and medium-sized businesses are part of almost every supply chain. They need to be able to protect their data for the security of their business and the security of the whole supply chain. However, these smaller companies may not have the financial capacity or the cybersecurity expertise to understand the risks. This results in blind spots that impact the entire supply chain. The more complex the supply chain is, the more difficult it can be to determine which companies are appropriately mitigating risks.

Reducing the systemic threat surface with the certified cloud

As information technology becomes more like a utility and organizations increase their reliance on cloud solutions, a substantial portion of the risk can be mitigated by the Cloud Solution Provider (CSP). The CSP has the scale to ensure proper cybersecurity risk mitigation is performed. Unfortunately, CSPs have traditionally taken the tact of “go fast and break things,” which doesn’t lend itself to healthy risk mitigation. The resolution is to leverage cybersecurity-certified cloud services known to have mitigated the risk. As smaller organizations start to implement cybersecurity-certified cloud solutions, much of the risk will be mitigated. If this is combined with buyers requiring their supply chain organizations to have third-party verification, much of the rest of the cybersecurity risk will be mitigated.

Let’s focus on third-party verification. Although many third-party verification methods exist, I will highlight just two based on my experience and their applicability in this situation:

• FedRAMP – for cloud-based capabilities – FedRAMP certification is incredibly rigorous and contains a thorough audit of controls. It’s continuous, has publicly available verification, and is audited annually.
• Cybersecurity Maturity Model Certification (CMMC) – for supply chain organizations – CMMC has three levels, with Level 1 and much of Level 2 being self-reporting. There are significant penalties for misrepresentation on self-reporting, and the implementation of controls varies from basic security to rigorous security.

These methods are costly and time-consuming, and for small and medium organizations not focused on government work, it may not be worth the effort. However, companies need to do something to mitigate this risk. Not doing so perpetuates the systemic cybersecurity risks in supply chains – and that matters to everyone, government or not.

Proactive industry-sponsored certification

The buyers in the supply chain need a method for third-party verification of cybersecurity risk mitigation. This method must focus on the most critical controls and be flexible for variability in how solutions are built. It must also be consistent in application to all participants and is enforced with penalties for not complying. Supply chain and cloud vendors need to be secure before they can sell their services to the government and the public, or it should be known when they aren’t certified.

Establishing new industry-sponsored certifications for the cloud and supply chain would support third-party verification efforts. The cloud cybersecurity certification and supply chain cybersecurity certification could be similar to FedRAMP and CMMC, respectively, but not government-centric and would use publicly available verification. This would make it more obtainable and easier to maintain while allowing organizations to verify that they are mitigating risks.

Trust, but verify

Third-party verification of building, fire, and electrical codes has existed for nearly a century in the U.S. If this same concept of verification is applied to cybersecurity, it would significantly reduce the national threat surface. Verification reduces risk and helps eliminate blind spots. It makes it possible to clearly identify which organizations in supply chains and cloud vendors have taken basic measures to secure sensitive information so we can make an informed decision about the risk as buyers. The solution to the problem of cybersecurity blind spots is to “Trust, but Verify.” This approach will make us all safer in the cyberworld.

Learn more about NTT DATA’s CyberSecurity Solutions for Government.