America’s path to cyber resilience
April 12, 2021
Over the last several months, for those of us in the cybersecurity industry, SolarWinds has become a generic term reflecting a scary reality—the United States public and private sectors are not as cyber-resilient as we once thought. As a security services provider to many companies performing national critical functions we believe strongly in designing security in from the start—from the C-Suite to every endpoint and across business ecosystems–relying on innovation and adaptative security approaches to protect personal information, trade secrets and other items of value.
The bottom line for us is that SolarWinds wasn’t an anomaly, and rampant ransomware attacks are no longer unique; these attacks are illustrative of what has become an unacceptable norm of insecurity. So, we as a nation and as businesses have to do more. After many years, we still have applications and systems that are not patched. Companies still write code fraught with vulnerabilities. And many third-party suppliers and vendors are small businesses that struggle to secure their systems and processes.
We know we can do better to stop sophisticated nation state cyber-attacks while defending against ransomware attacks and organized cybercrime groups. The United States has an incredible capacity for innovation and leadership. Unfortunately, our current posture is not effective. While the U.S government and leading companies invest in proactive, innovative cybersecurity programs, they struggle daily with the complexity of a growing inventory of tools which defend against thousands of actors attacking thousands of applications and operational technologies (OT). And they do this while simultaneously working to modernize, whether that means moving from on-premises technology to the cloud, or simply upgrading from a legacy system to a newer, more secure version.
<<< Start >>>
We have been taking the easy and cheap way out on cybersecurity, and that’s gotten us to the unacceptable predicament of daily attacks and breaches of critical systems in our public and private sectors.
<<< End >>>
It’s clear we must break some eggs to disrupt the status quo. The Cyberspace Solarium Commission did an exemplary job of shining a light on many of the fundamental shifts we must, as a country, embrace. The Commission put forth a well-conceived national framework and made sound and prudent recommendations that can help increase our national cyber resilience. But they don’t have a monopoly on good, bold ideas to improve the state of U.S. cybersecurity; indeed, many critical infrastructure companies, federal advisory committees, and cybersecurity leaders have developed thoughtful recommendations that can make real impacts. But if SolarWinds has taught us anything, it’s that now is the time for bold actions.
To that end, we see three opportunities for meaningful change.
First, as our government considers investments in clean energy infrastructure, we must ensure that new technologies improve our energy security and resiliency alongside sustainability. As part of any initiative, engineering teams and security teams should be incentivized to work together to implement security-by-design so that we don’t get to a day, five years from now, when we have to rip out and replace OT or IT that are going to power this modernization. And as the United States builds out additional broadband and 5G capacity to close the digital divide, we should also remember that security needs to be built in from the beginning there too.
Industry experts are concerned about the expanding energy infrastructure in particular for a few reasons: (a) the underinvestment in security to date already puts the energy system at a higher risk to begin with; (b) the increasing electrification of our economy makes it more vulnerable to security attacks, multiplying the financial and other damage; and (c) the shift toward greater remote connectivity and integration of OT and IT within the energy system increases the exposure to security breaches. Looking across the U.S. energy industry, we assess that the market demand for security is insufficient to defend against the threats. The impending modernization of electricity production, distribution and use, through investments in clean energy infrastructure, makes this an imperative that needs to be addressed now.
Second, we should embrace the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) as the nation’s risk advisor. CISA should be granted the resources and authorities to effectively perform its mission to defend national critical functions in coordination with sector specific agencies, while also defending federal networks. Anything less than that would simply be a continuation of the status quo.
Finally, we need market transparency to drive more informed investments. The Solarium Commission recommended that Congress create a cybersecurity certification and labeling authority. While there are many legitimate questions about how to do this well, there is no question that it’s time to give consumers better information about the security that’s built into the products that they rely on each and every day. Taking this step will give software and hardware companies incentives to design their products in accordance with cybersecurity frameworks and standards. It will also give critical infrastructure buyers of this hardware and software better information to evaluate which suppliers prioritize security and whether that security is worth the price. This market-based approach to security could help CEOs and boards drive resilience into businesses of all types and sizes, and better understand the risks of buying products with inadequate security.
None of the steps outlined here are easy. None of them are likely to be particularly cheap either. But as a country, we have been taking the easy and cheap way out on cybersecurity for decades, and that’s gotten us to the unacceptable predicament of daily attacks and breaches of critical systems in our public and private sectors. It’s time to take a new view of managing cybersecurity risks. We must change how we have been approaching cybersecurity as the past decades clearly have not been effective. Let us move together to make a step change. If we don’t, we have no one to blame but ourselves.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.