Cyber security impacts every business regardless of their industry or what value companies place on their data. As the SolarWinds breach demonstrated, the impact of cyberattacks has a way of spreading rapidly. Simply put, addressing security should always be a key concern.
And, with appointments and confirmations occurring now, “We must act fast to secure our digital environment,” says James Hayes, vice president of government affairs at Tenable. “The worst thing policymakers can do right now is nothing.”
Hayes spent over a decade as an aide in the U.S. Senate, and maintains extensive ties within the government and cybersecurity sphere. Read on to hear his perspective on new appointees to major cybersecurity roles as well as what the administration’s major cybersecurity priorities should be within its first 100 days.
IW: Why should manufacturers be paying attention to the Biden admin's cyber approach/strategy?
Hayes: Connected manufacturing equipment makes manufacturing more efficient and cost-effective, but also exposes organizations to an expanded digital attack surface. If proper security controls are not put in place, this technology increases risk of attacks that could shut down equipment or bring operations to a complete halt.
The Biden administration’s proposed $10 billion investment in cybersecurity and IT modernization includes significant additional funding for CISA, the agency responsible for civilian cybersecurity. This funding will be critical to protecting the attack surface of manufacturers nationwide by increasing CISA’s ability to work with the industry and share best practices, threat assessments and other vital cyber considerations that can impact an organization.
We must also build security in from the start – every new piece of manufacturing equipment and every new factory should be designed with cybersecurity in mind.
The new administration's focus on IT and cyber modernization, and its proposed $10 billion investment in these areas, should go a long way in ensuring that the federal government and the private sector make cybersecurity a strategic priority.
We simply can’t afford to continue thinking about digital infrastructure as an afterthought, especially as ransomware increasingly targets manufacturers. The consequences of inaction are too significant to the nation’s manufacturers, the customers they serve and our economy.
IW: As these appointees are confirmed, what do you see as their biggest (initial) priorities?
Hayes: As the Biden administration continues to fill roles like the Director of CISA and the National Cyber Director, these cyber professionals will need to take quick steps to limit the exposure from SolarWinds and protect against future, similar attacks by implementing a whole-of-government approach to security.
Breaking down the silos that exist in government cybersecurity and sharing best practices and information between agencies will greatly improve the nation’s cyber posture.
One tool these appointees should focus on is Risk Based Vulnerability Management (RBVM). RBVM will give agencies the data they need to tackle the riskiest vulnerabilities first, significantly reducing the threat landscape.
They should avert efforts to recreate the wheel wherever possible. Instead, they should embrace leveraging the existing knowledge and expertise from the manufacturing sector through expanded public-private partnerships, like the working groups CISA currently has with the energy sector, to bring different organizations together and share best practices with each other and the government to help improve the entire sector’s cyber posture.
Lastly, we must push forward on third-party risk disclosures – when breaches or other cyber incidents happen, that information must be shared in a timely fashion so that the federal government and industry can work together to prevent it moving forward.
This is especially critical given the rise of ransomware attacks on manufacturers – we have to share intelligence and threat information for the security of the entire industry.
IW: What immediate challenges do they face?
Hayes: Slow confirmations for key agency leadership is problematic during government transitions. Given the urgency of the pandemic and security challenges created by SolarWinds, Senate-confirmed leaders are needed in key posts as quickly as possible to maintain continuity of operations and service delivery to constituents. The Director of CISA and the National Cyber Director fall squarely into this category as their expertise is needed to implement smart cyber policy to aid the manufacturing sector and other critical sectors of the economy.
There is also increasing concern that cybersecurity is simply not a priority, despite being one of the greatest threats we face. The Biden administration has committed to prioritizing cybersecurity, but Congress must follow suit. Whether that’s including funding in the next COVID relief package, as proposed by President Biden, or quickly acting to move another package, like infrastructure, with dedicated cybersecurity funding, cybersecurity must remain a priority.
