When it comes to safety, modern commercial aircraft are known not only for having backup systems, but in some cases, backups of their backups. If one part of a system fails, the entire aircraft can still function safely with backup systems. Redundancy is an added guarantee of safety and allows complex systems to be more reliable than the sum of their parts.
Like modern commercial aircraft, today’s networks are incredibly complex. Hackers are increasingly sophisticated. The attack rate is not going down, and attack vectors are constantly changing. Any weakness can be exploited. Networks need to employ a similar approach for cybersecurity ecosystems.
Russian threat actors exploited a vulnerability in SolarWinds Orion software. This persistent attack exposed Microsoft Office 365 customers’ email traffic, data and identities. This massive breach resulted from the addition of benign-looking code to one file, allowing threat actors the ability to operate unfettered in numerous networks. We now know that this hack exposed major federal government departments and private sector companies. It is inherently risky if there is an overreliance on the same software from one company.
The ubiquity and overreliance on certain software products pose a great risk for future cyberattacks. This is especially apparent in the wake of the SolarWinds and Hafnium incidents. Unfortunately, nearly a year later, there is still a lot of work to be done. Federal agencies are working hard to shore up their cyber posture, and there is pressure to meet deadlines set by the cybersecurity executive order.
Cybersecurity is, at its core, about risk management. When I led information security in the federal government, a breach like SolarWinds was my worst nightmare. While nothing can stop 100 percent of breaches, there is a rational approach that organizations can take to minimize the risk of a massive breach. That rational approach involves diversity in the cybersecurity ecosystem.
Redundancy is built into complex systems such as aircraft, but there is risk with overreliance on one vendor for cybersecurity. That creates a single point of failure. Additionally, it may create vendor lock-in, making it more difficult to adopt innovative technology. As needs change and advanced threats arise, it’s important to have the flexibility to add new technology capabilities that can integrate easily to accomplish the mission securely.
Relying on a single technology provider to run an organization’s network and infrastructure systems could be disastrous. Putting all your eggs in one basket leaves you open to the business decisions, infrastructure vulnerabilities and pricing models of one company. The SolarWinds breach is a wake-up call to move away from a software monoculture.
There are ways to reduce the risk of software monoculture. Recognize that no product is foolproof. Avoid homogeneity in security by leveraging a portfolio of pure-play cybersecurity vendors. Remove single points of failure. Get identity right. Begin deploying endpoint security measures and zero trust. Be diverse.
Layering a series of interoperable security capabilities together onto a federal network is the best way to secure the government’s vast digital infrastructure. If a breach does occur, the network can be brought up more rapidly and run securely by relying on tools and technology not impacted. It is imperative for both the Defense Department and the federal government that resiliency based on blended offerings be built into IT solutions to deliver a layered, diverse and secure IT defense.
John Zangardi is the president of Redhorse Corp. and an independent board member at Forcepoint. He previously served as chief information officer at the U.S. Department of Homeland Security, acting CIO at the Defense Department and CIO at the Department of the Navy.