Introduction:
2、How Hackers Help Secure the U.S. Government
Following a Series of Government Hacks, Biden Closes Out His Administration With New Cybersecurity Order ♂
On Thursday, in his final week in office, President Joe Biden issued an executive order intended to strengthen the nation’s cyber defenses, in part by requiring software providers like Microsoft to provide proof that they meet certain security standards before they can sell their products to the federal government.
The action follows an onslaught of cyberattacks in recent years in which hackers linked to Russia, China and other adversaries have exploited software vulnerabilities to steal sensitive documents from federal agencies.
In demanding more accountability from software makers, Biden pointed to instances in which contractors “commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise.”
In June, ProPublica reported on such a case involving Microsoft, the largest IT vendor to the federal government. In the so-called SolarWinds attack, which was discovered shortly before Biden took office, Russian state-sponsored hackers exploited a weakness in a Microsoft product to steal sensitive data from the National Nuclear Security Administration and other agencies. ProPublica found that, for years, Microsoft leaders ignored warnings about the flaw from one of their own engineers because they feared that publicly acknowledging it would alienate the federal government and cause the company to lose ground to competitors.
That profit-over-security culture was driven in large part by the rush to gain ground in the multibillion-dollar cloud computing market, the news organization reported. One former Microsoft supervisor described the attitude as, “Do whatever it frickin’ takes to win because you have to win.”
Microsoft has defended its decision not to address the flaw, telling ProPublica in June that the company’s assessment at the time involved “multiple reviews” and that it considers several factors when making security decisions, including “potential customer disruption, exploitability, and available mitigations.” But in the months and years following the SolarWinds hack, Microsoft’s security lapses contributed to other attacks on the government, including one in 2023 in which hackers connected to the Chinese government gained access to top U.S. officials’ emails. The federal Cyber Safety Review Board later found that the company had deprioritized security investments and risk management, resulting in a “cascade of … avoidable errors.”
Microsoft has pledged to put security “above all else.”
To be sure, Microsoft is not the only company whose products have provided hackers entree to government networks. Russian hackers in the SolarWinds attack gained access to victim networks through tainted software updates provided by the Texas-based SolarWinds company before exploiting the flawed Microsoft product.
To help prevent future hacks, the government wants IT companies to provide proof that they use “secure software development practices to reduce the number and severity of vulnerabilities” in their products, according to the order. In addition, the government “needs to adopt more rigorous third-party risk management practices” to verify the use of such practices, Biden said. He asked for changes to the Federal Acquisition Regulation, the rules for government contracting, to implement his recommendations. If fully enacted, violators of the new requirements could be referred to the attorney general for legal action.
Biden also said that strengthening the security of federal “identity management systems” was
“especially critical” to improving the nation’s cybersecurity. Indeed, the Microsoft product that was the focus of ProPublica’s June article was a so-called “identity” product that allowed users to access nearly every program used at work with a single logon. By exploiting the weakness in the identity product during the SolarWinds attack, the Russian hackers were able to swiftly vacuum up emails from victim networks.
In November, ProPublica reported that Microsoft capitalized on SolarWinds in the wake of the attack, offering federal agencies free trials of its cybersecurity products. The move effectively locked those agencies in to more expensive software licenses and vastly expanded Microsoft’s footprint across the federal government. The company told ProPublica that its offer was a direct response to “an urgent request by the Administration to enhance the security posture of federal agencies.” In his executive order, Biden addressed the fallout of that 2021 request, directing the federal government to mitigate the risks presented by the “concentration of IT vendors and services,” a veiled reference to Washington’s increased dependence on Microsoft, which some lawmakers have referred to as a “cybersecurity monoculture.”
Though the order marks a firmer stance with the technology companies supplying the government, enforcement will fall to the Trump administration. It’s unclear whether the incoming president will see the changes in the executive order through. President-elect Donald Trump has emphasized deregulation even as he has indicated that his administration will take a tough stance on China, one of the nation’s top cyber adversaries.
Neither Microsoft nor the Trump transition team responded to requests for comment on the order.
Thursday’s executive order was the latest in a series of regulatory efforts impacting Microsoft in the waning days of the Biden administration. Last month, ProPublica reported that the Federal Trade Commission is investigating the company in a probe that will examine whether the company’s business practices have run afoul of antitrust laws. FTC attorneys have been conducting interviews and setting up meetings with Microsoft competitors, and one key area of interest is how the company packages popular Office products together with cybersecurity and cloud computing services.
This so-called bundling was the subject of ProPublica’s November investigation, which detailed how, beginning in 2021, Microsoft used the practice to box competitors out of lucrative federal contracts. The FTC views the fact that Microsoft has won more federal business even as it left the government vulnerable to hacks as an example of the company’s problematic power over the market, a person familiar with the probe told ProPublica.
Microsoft has declined to comment on the specifics of the investigation but told the news organization last month that the FTC’s recent demand for information is “broad, wide ranging, and requests things that are out of the realm of possibility to even be logical.”
How Hackers Help Secure the U.S. Government ♂
Criminals and foreign adversaries know how to exploit our digital weaknesses and vulnerabilities to attack the U.S. government and American businesses. But a growing number of federal agencies and some of the biggest businesses in the world use those same offensive techniques and strategies to help defend against increasingly sophisticated cyberattacks.
Digital security has never been more important — nearly 80 percent of IT leaders worry their organizations aren’t sufficiently protected against cyberattacks at a moment in history when those attacks are coming more frequently than ever. The recent SolarWinds Orion hacking campaign and the barrage of attacks targeting vulnerable Microsoft Exchange servers are only the latest examples.
That’s why a new approach to cybersecurity is essential.
Continuous security scaled by the world’s most skilled ethical hackers and AI technology. Discover why Synack is the most trusted Crowdsourced Security Platform.
“Historically, most large corporations and government agencies would leverage internal resources to evaluate security or use consulting firms to perform a time-bound penetration test or security assessment,” says Jay Kaplan, CEO and co-founder of Synack, a crowdsourced security testing firm. “But both of these approaches are flawed, and a single missed vulnerability can lead to a complete breach of an entire network. It really just takes one foothold.”
The solution is a “crowdsourced” security model that brings the most skilled ethical hackers — researchers who approach security from the attacker’s point of view — to help organizations stay ahead of criminal and nation-state hackers by testing and improving their digital defenses.
“The goal is to create a higher-efficacy model that better mimics the offensive mindset,” says Kaplan, a former government hacker at the National Security Agency. “And I think we’ve really done that.”
At least 22 U.S. government agencies and departments — as well as many of the biggest global businesses and financial institutions — have embraced the approach. Like many businesses, the federal government has also recognized that the crowdsourced penetration testing model is about as close as an organization can get to testing systems against a real-world adversary.
In fact, over the past several years, the Department of Defense has run numerous “Hack the Pentagon” programs that allowed independent security researchers to find vulnerabilities inside Pentagon networks. Increasingly, government officials have embraced the approach and see the growing value of crowdsourcing when it comes to protecting the most sensitive networks and systems in the world.
Initially, however, some government agencies and officials were leery of allowing outside researchers access to their critical technology or digital assets, Kaplan notes. But those early concerns have faded away as officials learn about the rigorous requirements for groups such as the Synack Red Team, that company’s network of ethical hackers, and the benefits from the crowdsourced approach to security testing.
Trust is earned, and our currency is straightforward. A commitment to protect our customers and their customers. Utter confidentiality. Optional anonymity. Total control over the process.
Kaplan says that all of the “white-hat” hackers on their crowdsourcing platform are highly vetted with background screenings and skill assessments. And every security researcher on their Red Team goes through a nondisclosure process and is under contract with Synack.
Kaplan sees the role of crowdsourced security growing rapidly. Synack’s platform offers always-on security, a managed vulnerability disclosure program, AI-powered security testing, crowdsourced vulnerability discovery and continuous penetration testing. The company currently protects more than $6 trillion in Fortune 500 and Global 2000 revenue in addition to working across the U.S. government.
That breadth of experience has given Kaplan and others in this space plenty of insight into government security, and many see a greater role for this kind of testing to help agencies defend themselves against sophisticated attacks such as the SolarWinds campaign, which affected some 18,000 government and enterprise victims.
“If you’re looking at the first line of defense for U.S. government agencies, there are two technologies in place: EINSTEIN 3 Accelerated (E3A) and Continuous Diagnostics and Mitigation (CDM) Program,” he notes. “None of those detected attacker activity due to the SolarWinds compromise.”
Kaplan is optimistic that more government agencies will realize the power of a crowdsourced approach to security, but he warns that alone won’t solve the cybersecurity problem for the U.S. “The government needs to be more prescriptive,” he says. “Right now, the onus is on each individual agency to come up with their own cybersecurity strategy — there is really no unifying strategy.”
The bottom line is simple, Kaplan says. “Before deploying any new endpoint to the network, or any new application, every single digital asset should undergo a crowdsourced security assessment.”
评论已关闭