White House proposes new cybersecurity ratings system
It's hard to remember a time where such venerable pieces of infrastructure have been so affected by security vulnerabilities. Firstly, enterprise software vendor SolarWinds issued a warning to its 300,000 customers that security vulnerabilities could allow attackers to take control of their systems.
The vulnerabilities in their Orion and Serv-U FTP packages followed hot on the heels of news in December that the company had been hacked by a suspected Russian attack.
This was then followed by a number of zero-day vulnerabilities being exposed in the Microsoft Exchange Server, which have been actively exploited by a state-sponsored group backed by China.
The SolarWinds attacks alone were estimated to have affected around 18,000 organizations globally, and so the scale of the impact from these enterprise-level attacks is considerable.
It’s perhaps no surprise, therefore, that in a recent press call, the new Biden administration has spoken about the potential for a new cybersecurity rating system to provide enhanced visibility into the security aspects of popular hardware and software solutions.
“Mayor Bloomberg, a number of years ago, when he wanted to address restaurant sanitation, he realized, you know, the health department kept rating restaurants, and it just wasn’t changing anything. So he required restaurants to put a simple rating — A, B, C, D — in their front window to make a market — to make a market around health and sanitation,” they explain.
“And we’re looking to do a very similar thing with cyber and the cybersecurity of software companies we buy software from.”
The White House also explained that they're taking inspiration from Singapore, where cybersecurity standards are provided for a range of different Internet of Things devices. For instance, parents could buy a connected baby monitor and be able to understand how secure the product is before buying it. It's an approach that is not present in the United States at the moment but there are plans afoot to announce something in the coming weeks to place the country on that path.
Cybersecurity Labelling Scheme
A voluntary program had already been launched in Singapore back in October of last year, but to date, only smart home hubs and wifi routers have been evaluated. The Cybersecurity Labelling Scheme (SLC) aims to improve upon that by incorporating a much wider range of consumer devices, including smart lights, IP cameras, smart printers, and smart door locks. The hope is that this will improve cybersecurity hygiene across the nation.
The SLC incorporates four tiers of cybersecurity support, ranging from basic password protections and regular security updates at the bottom level to those products that have undergone rigorous third-party security testing at the top end.
The Singapore government hopes that it provides consumers with a basic level of security assurance. It's something that the government hopes to be able to replicate in some form in the coming weeks, with the recent high-profile attacks underlining the importance of improving cybersecurity across the country.
There were nine federal agencies compromised by the SolarWinds hack, with the government explaining that technology would be rapidly rolled out to plug the specific gaps identified in the attacks. These solutions will then be rolled out more widely across the federal government as the government aims to ensure not only that the networks and systems are secure but there can be visible trust in those systems that are operating on behalf of the public.
There is a clear desire to limit the cost of incident response across the government and so the White House said that they will be encouraging agencies to prioritize the use of products, applications, and services that have cybersecurity built-in from the outset. They hope that by clearly stating this ambition that not only will it support agencies in securing their systems but also create a clear market across the private sector for secure technologies.
“[We’re] thinking through rebooting the approach to software security, rebooting the approach to software security standards, and trying to get to a goal we have: that the level of trust we have in our systems is directly proportional to the visibility we have to their cybersecurity,” officials explained. “The level of that visibility needs to match the consequences if those systems fail.”
The cybersecurity rating system is an idea that has been advocated for by not only a number of industry groups but also the bipartisan Cyberspace Solarium Commission. If such ratings become the law, however, then it not only helps to make the market for cybersecure products but also showcases the renewed focus the government is putting on the security of digital infrastructure.