If you are involved with cybersecurity, you will know about the SolarWinds attack. This is huge based on being a supply chain based attack. Cisco Talos posted a deep review of this attack found HERE. Bruce Schneier posted on the New York Times a interesting look at how we got here. That post can be found HERE.
Bruce Schneier brings up two problems that need to be solved. He points out information asymmetry meaning how to judge the security of the products we use. If a supply chain attack occurs, its a exploit against the tool before the customer receives it hence the customer is inheriting the result of the attack. This first problem is why the SolarWinds attack has so much visibility.
Second problem is interesting. Bruce Schneier points out a perverse incentive structure problem, which is based on the market encouraging organizations to make decisions based on their own interests. This however, contradicts the concept of sharing security data and attempting to secure everybody is a better approach to reduce the risk of large scale exploitation.
Combining both of these problems leads to companies looking to save money by taking on greater risk and then passing off that risk to others. Lets consider the average CISO. If they haven’t been attacked, its common for internal stakeholders to accuse the organization of spending too much on cybersecurity. The thought is “we haven’t been breached, what we have works. Lets save some money”. Then as soon as a breach occurs, the CISO is accused of not investing enough in security. I’ve personally pointed out risk to CISO’s who claim to not have the budget but then one day, I get a call saying they have money and need the technology NOW. I ask why and its due to a recent breach. This problem causes CISO’s to operate in the here and now as well as live within the care of the organization. Proactive security or looking at the overall industry typically is a big stretch to ask from a CISO leading to the issues Bruce Schneier points out.
Give this article a read when you have time. Again, it can be found at https://www.nytimes.com/2021/02/23/opinion/solarwinds-hack.html?referringSource=articleShare