Might the US federal authorities inadvertently be fueling good storm situations for one more unprecedented cyber incident that might have widespread implications for federal, state, and significant infrastructure companies, much like the latest CrowdStrike outage?
Setting the Stage
The US State and Native Cybersecurity Grant Program (SLCGP) offers funding to eligible entities to enhance cybersecurity posture and scale back the danger of a cyberattack. That is, in fact, good, as many public entities have lacked the funds essential to have a cybersecurity posture appropriate to guard the non-public information or companies they supply.
Previous to this funding, every entity would make their very own determination on cybersecurity and must fund it from present budgets. For instance, a faculty district could choose a vendor based mostly on companies and value, the neighboring faculty district may select a special vendor, and so forth. For the financially frugal, this would appear like a nasty resolution. If entities had been to group collectively and use a single vendor, they’d get bulk buy reductions and decrease the quantity of tax {dollars} spent.
However ask a cybersecurity skilled to explain the perfect cybersecurity posture and they’ll use phrases like “protection in depth” or “layers of protection.” This refers to the usage of a number of applied sciences, and usually a number of distributors, in an effort to thwart potential assaults, or incidents equivalent to CrowdStrike’s single corrupt driver inflicting a worldwide outage at a number of main firms.
When the SolarWinds cyberattack unfolded there have been 33,000 non-public, federal, and state customers of the know-how, with about 18,000 putting in the malicious replace. The backlash of this provide chain assault resulted in new regulation on enhancing provide chain safety, and this continues to play out right this moment. Whereas the assault was devastating, it was not a cyber-Armageddon occasion, as states, entities inside states, federal companies, and such had been utilizing a various set of options from completely different distributors.
The latest, unlucky incident suffered by CrowdStrike prospects highlights how devastating a single vendor challenge will be, with simply 8.5 million units affected globally (representing lower than 1% of Home windows units) inflicting mass international disruption to airways, healthcare services, companies, and extra.
Making a Monoculture
Now contemplate the supply of SLCGP, which supplies free cash to spend on cybersecurity — it is like moths drawn to a light-weight. A state can apply for funds from the grant to cowl a number of entities inside its jurisdiction. As soon as granted, a vendor is chosen and supplied to entities statewide, both free or extremely discounted because of quantity licensing. This creates a monoculture cybersecurity atmosphere, or an ideal storm for a serious cyber incident, the place if the first vendor is attacked or has a big vulnerability exploited, it may take out all the state’s companies, each faculty district, native authorities administration, and so forth. The impact on on a regular basis society could possibly be devastating.
The SolarWinds and CrowdStrike incidents display, on a restricted scale, that when a single vendor suffers an incident of some kind, if there are sufficient affected events, the incident turns into important, and if they’re all grouped in a single state, it turns into a serious incident.
If a single vendor turns into the de facto customary for states that apply for SLCGP (a very good chance: I personally know of some organizations which have been rolled into a typical resolution as a part of a no-cost, or near-no-cost, state resolution)
To place this in context, there are roughly 50 million US kids of college age. If 90% of states are prospects of 1 resolution, and this consists of state-funded training, the affect of a cyber incident would see 45 million kids’s educations being disrupted. And in some cases, colleges have suffered considerably when hit by a cyber incident — requiring closure for probably months. And training is only one space affected by single-vendor threat.
The SLCGP seems to be creating a brand new monoculture atmosphere, on a scale that might make the earlier incidents pale into insignificance. Monoculture is a time period usually utilized in farming. In short, it’s about crop rotation — variety in planting in an effort to defend each the crop and the fields during which the crops are planted. If a single crop is planted in the identical subject over a number of seasons the end result ends in dangerous yield.
Selling Range in Cybersecurity
In 2015, a tutorial paper detailed the problems of monoculture cybersecurity regarding the usage of antivirus (AV) merchandise. It concluded that “lowered an infection charges had been positively correlated with larger charges of AV exercise, steady AV product utilization and standing, and AV product variety.” The significance of a various product choice prevents a single incident, whether or not malicious or unlucky, from inflicting a catastrophic outage.
The actions by states to standardize on a single product utilizing the SLCGP is making a dominant safety product situation that causes monoculture, a default customary for cybercriminals to assault. Cybercriminals must search for a weak spot in just one product, or to find an exploitable vulnerability, to have an effect on a good portion of companies, probably affecting all the inhabitants of a state.
The answer is to advertise, and require, various layers of protection structure, and this ought to be a requirement of receiving SLCGP funding.