RSAのホワイトハウスサイバーチーフ:「安全でない技術のコストは驚異的です」
ホワイトハウスのサイバーおよび新興技術の副国家安全保障顧問であるアン・ノイバーガー氏は、本日のRSA Conferenceでの基調講演で、サイバーセキュリティは「国家安全保障上の義務」であると述べました。Cybersecurity is a “national security imperative,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology at the White House, during a keynote address at the RSA Conference today.
Neuberger, echoing other White House advisors in the wake of major cyberattacks, said the U.S. needs to modernize its cybersecurity defenses to prevent future attacks from sophisticated nation-state attackers and criminals. In addition to being a national security imperative, it’s an “economic security imperative as well,” she added.
“The cost of insecure technology is staggering,” Neuberger said, citing a 2019 Ponemon study that put the average cost of a data breach at $13 million. “And that cost is born at the end, by the victims, in incident response and cleanup. Small businesses, schools, hospitals, and local governments, who often have fewer resources, particularly struggle.”
While the cost of breaches has been widely documented by several industry reports, the public and private sectors can mitigate these threats by modernizing their security tools and processes, she added. “That alone should be incentive enough to change our ways,” Neuberger said. “And yet, have we? What does it take? This is the community who can drive the change.”
U.S. President Joe Biden “has elevated cybersecurity in a way that no other” president has previously done, Neuberger said. The White House is committed to boosting cybersecurity, she added, and the first order of business involves modernizing cyber defenses.
“Following SolarWinds incident response, we were confronted by the hard truth: That some of the most basic cybersecurity prevention measures weren’t systemically rolled out across federal agencies,” she said. This includes tools like multi-factor authentication, encryption, event logging, and endpoint detection, and all of these technologies play prominent roles in Biden’s cybersecurity executive order that he signed last week.
The White House directive requires federal agencies to adopt several cybersecurity best practices including zero-trust architectures, multi-factor authentication, and encryption for data at rest and in transit. It also includes cybersecurity event log requirements for federal departments and agencies, and it mandates that these agencies also deploy endpoint detection and response tools.
“We’ve taken immediate action to roll these out, but we have much more to do,” Neuberger said. “And we’re starting with the software that we buy.”
As the SolarWinds hack revealed, the software supply chain is often the weakest link and represents a serious threat that nation-states and criminals are eager to exploit. “The current model of build, sell, maybe patch means the products that the federal government buys often include defects and vulnerabilities,” Neuberger said.
Vendors sell vulnerable software “with the expectation that they can patch later” or even ignore altogether, she added. “That’s not acceptable. It’s knowingly introducing unknown and potentially grave risks that adversaries and criminals then exploit. Security has to be a basic design consideration.”
Building security into the design process will save “thousands of dollars,” Neuberger said. To this end, the White House order requires that software sold to the government meets baseline security standards and it introduces a so-called software bill of materials. This means vendors have to list all of the third-party and open source code they use in a product.
“Our efforts will pay dividends outside of the federal government, because much of the software the government buys is the same software that schools, small businesses, big businesses, and individuals buy,” Neuberger said.
