Cybersecurity and
Infrastructure
Security Agency
Government Should Set Minimum Cybersecurity Standards in IT Procurement, Expert Says
The government should set a minimum cybersecurity standard in its procurement of information technology to prevent incidents like the SolarWinds breach, according to a cybersecurity expert.
Jeanette Manfra, a former top official at the Cybersecurity and Infrastructure Security Agency, emphasized the importance of securing large acquisition vehicles, which are essential for cybersecurity modernization, FedScoop reported.
“The government is a very large consumer. They need to be driving what those security standards are that they want to see through their procurements,” Manfra said during an event hosted by the Center for Strategic and International Studies.
Manfra and other cybersecurity experts at the event agreed, however, that compliance with the minimum cybersecurity standards should be voluntary for the private sector.
The SolarWinds hack, which is widely attributed to Russia, compromised the networks of several federal government agencies and more than a hundred American companies.
Some officials, including former CISA Director Chris Krebs, a two-time Wash100 winner, expect more data breach attempts from U.S. adversaries.
CISA acting Director Brandon Wales said the agency itself is looking to implement improvements to its Einstein intrusion detection system, whose perimeter-focused security measures failed to stop the SolarWinds breach.
While the hack is widely believed to have been done by Russia, Cohen Group senior counselor Ed Cardon said the cybersecurity community is still working on true attribution.
Cardon said there are gaps in information sharing between the government and the private sector that are making it more difficult to truly determine the perpetrator. Actions such as the collection of DNS logs could go a long way in helping with attribution, Cardon said during the CSIS event.
Category: Cybersecurity