The March Cyberspace Solarium Commission report advised that businesses and the U.S government should incorporate layered cybersecurity into their defense strategy. Additionally, the report insists that Congress, “pass a law establishing that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.” The issue surrounding the reasoning of this law is that most ransomware attacks are accomplished through the exploitation of both well-known and old vulnerabilities that were never patched due to negligence. Using an article published by Help Net Security, we’ll examine three gaps within the Cyberspace Solarium Commission report.
Negative Impact to the Software Industry
Placing full liability on software vendors could potentially limit innovation and raise the price for software. Help Net Security states, “The majority of organizations that suffer a breach due to the exploitation of a vulnerability fail to implement a patch that already exists. In those cases, the onus should be completely on the user and not the vendor.” To decrease the possibility of a negative impact, a balance should be met between the liability placed upon the vendor and the user. The more appropriate approach would be, “stiffening penalties for negligence in software creation, especially for multi-billion dollar tech firms,” but, “balanced with the cost trade-offs, innovation dampening, and other effective ways to deal with the challenges stemming from vulnerabilities.”
Inadequate Kill-Chain Based Logic
Comprehensive Defense Strategies
Patching is undeniably important, but not implementing a robust defense strategy into your network makes the patching process obsolete. Businesses and the U.S government need to understand that “continuously testing security controls against relevant TTPs will help prepare for what’s next when an attacker penetrates their network.” The information gathered from these tests will assist in, “measure[ing] the effectiveness of those defenses and help execute continuous improvements.” Ultimately, implemented cybersecurity methods shouldn’t be solely patching, but need to also be combined with “threat-informed defense.”