The massive penetration of computer systems of multiple US government agencies that came to light over the past few weeks is unprecedented in its ambition and boldness, as well as the damage it has caused and mistrust it has sown. While its extent and impact are still being assessed, there is little doubt as to the attack vectors via which the malware was introduced, and the identities and affiliations of the threat actors.
Politicians and pundits have lost little time in pointing fingers at the security solution vendors involved and at the government agencies themselves, who “allowed” the attack to occur. But for the most part, those of us in the cybersecurity industry – even direct competitors of SolarWinds and FireEye – know better than to assign blame.
The truth is that both digital technologies and cybersecurity solutions are so complex and change so rapidly, that vulnerabilities will always be with us – as will malicious actors who devote full-on effort to exploiting them. The idea of a comprehensive solution may well be a chimera, since the very playing field is constantly moving and morphing. Certainly the proposal, touted by political leaders, of tightening industry standards and vetting procedures is impractical. As Andy Keiser, a former top House Intelligence Committee aide commented, “The standards would be slow, outdated, cumbersome, and pick incorrect winners and losers.”
Beyond the inherent dynamism of the task, a shortage of qualified practitioners leaves many organizations insufficiently protected. A staggering 3 million cybersecurity positions are expected to remain vacant next year for lack of qualified individuals to fill them.
Given these disturbing facts, the true challenge is how well the industry as a whole can protect the organizations, government agencies and businesses that rely on digital technology (which is to say, every organization, agency and business today), despite the very real risks and vulnerabilities.
It is for this reason that the organizations and leaders of the cybersecurity industry regard ourselves as a collaborative community. While retaining a healthy and productive competitive spirit, we actively share best practices via industry groups such as the Cloud Security Alliance (CSA), the Cyber Threat Alliance (CTA), Open Web App Security Project (OWASP), SANs and other organizations, with the goal of minimizing the vulnerability of all digital technology users – individuals as well as organizations in the public, private and not-for-profit sectors.
Crime will always be with us. But a case like this, with state-sponsored actors attempting to corrupt and manipulate the very means by which a sovereign nation governs, demands a concerted industry approach.
Like all right-minded, responsible cybersecurity researchers, vendors and practitioners we strongly condemn these attacks and welcome the opportunity to collaborate with all parties to assist impacted organizations and support their recovery efforts however we can, as individuals, a business or as partners for industry action.
Finally, as this very challenging year comes to an end, I’ll close with my wishes for good health, security, economic growth, and a return to warm, in-person interactions with colleagues, friends, and loved ones.”