The March Cyberspace Solarium Commission report advised that businesses and the U.S government should incorporate layered cybersecurity into their defense strategy. Additionally, the report insists that Congress, “pass a law establishing that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.” The issue surrounding the reasoning of this law is that most ransomware attacks are accomplished through the exploitation of both well-known and old vulnerabilities that were never patched due to negligence. Using an article published by Help Net Security, we’ll examine three gaps within the Cyberspace Solarium Commission report.

Negative Impact to the Software Industry

Placing full liability on software vendors could potentially limit innovation and raise the price for software. Help Net Security states, “The majority of organizations that suffer a breach due to the exploitation of a vulnerability fail to implement a patch that already exists. In those cases, the onus should be completely on the user and not the vendor.” To decrease the possibility of a negative impact, a balance should be met between the liability placed upon the vendor and the user. The more appropriate approach would be, “stiffening penalties for negligence in software creation, especially for multi-billion dollar tech firms,” but, “balanced with the cost trade-offs, innovation dampening, and other effective ways to deal with the challenges stemming from vulnerabilities.”

Inadequate Kill-Chain Based Logic

The Cyberspace report also misses the target when discussing the kill-chain process. According to Verizon’s 2020 Data Breach Investigation Report, exploitation of vulnerabilities accounts for less than 20% of breaches. The majority of breaches occur from the exploitation of, “misconfigured cloud servers and exposed credentials stored in software repos.” This type of exploitation is termed configuration exploitation.  Organizations must remember that vulnerabilities are just one of the ways that cybercriminals can access a network.

Comprehensive Defense Strategies

Patching is undeniably important, but not implementing a robust defense strategy into your network makes the patching process obsolete. Businesses and the U.S government need to understand that “continuously testing security controls against relevant TTPs will help prepare for what’s next when an attacker penetrates their network.” The information gathered from these tests will assist in, “measure[ing] the effectiveness of those defenses and help execute continuous improvements.” Ultimately, implemented cybersecurity methods shouldn’t be solely patching, but need to also be combined with “threat-informed defense.”