Infrastructure vendors, major network operators and several government agencies are teaming up under the guise of the Network Resilience Coalition to address a lack of vulnerability management among enterprises. Experts argued the move is sorely needed as technology companies are failing to encourage the level of visibility needed to mitigate cyber risks.
The coalition was formed to address vulnerabilities in an open and collaborative way to inform technology providers, users and those creating or regulating security policy. It includes infrastructure vendors and major network operators, including AT&T, BT Group, Cisco, Fortinet, Juniper Networks, Lumen Technologies, Verizon and VMware. Government entities such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber and Security Centre (NCSC) have also joined the coalition.
The group aims to compose an investigative report by the end of the year and provide actionable recommendations to improve data and network security in support of the economy and national security. Failure to improve, coalition members said, could lead to cyberattacks on a global scale.
“We’re all approaching this issue from the core fact that life right now is way too easy for malicious cyber actors, whether they are nation states or criminal groups,” said Eric Goldstein, executive assistant director for the CISA, on a recent webinar. “Customers can't do it alone, and this really does need to be a collaboration between technology vendors, governments around the world.”
Derrick Scholl, senior director of Juniper Networks’ Security Incident Response team added: “The unique opportunity we have here is the sort of combination of the vendors making the products, the customers using them and the government's trying to get folks to do the right thing, all in one location…The ability to have that level of collaboration with our end customers, and with folks making decisions and suggesting policy is highly attractive to me.”
Intruder, alert!
According to a recent Cisco Cybersecurity Readiness report, only 15% of organizations globally have a mature level of preparedness to handle the security risks in a hybrid world. Over half of organizations (55%) are still in their formative or beginner stages, which is measured by whether companies have tried and true solutions for identity, devices, network, application workloads and data indexes.
Rather than blaming inadequate technology, good decision making should be encouraged in user communities, some of which are increasingly critical networks for national infrastructure, consumers and businesses, according to Paul Lawler of the NCSC. A large part, he said during the webinar, is “just understanding how we can better help people identify good products and keep them up to date.”
Lawler’s sentiment alludes to the alarming cybersecurity readiness gap, which primarily comprises poor patching and vulnerability management or not installing critical software or hardware updates in a timely manner to be as secure as possible.
The Cisco report concurred, noting that organizations should strive for security resilience. Security should be the foundation to a business’ strategy and prioritized company-wide to recognize threats faster, since “most organizations are already thinking about resilience in their financial, operational, organizational, and supply chain functions” and “security resilience cuts across all of them,” the report stated.
The collaboration between not only multiple competitors such as Cisco and Juniper Networks will help speed up possible future standards, but “there is government interest in hearing from the industry at large on how this issue can be solved, how it can be mitigated from a governmental or regulatory perspective,” said Lawler.
Private companies have published their own vulnerability data for years now, but that's clearly not been enough. For example, back in 2018 when Cisco published a public patch, active attacks were happening five years after the first publicly known exploit, plus an additional year after the patch was available. Now, through the coalition, governments are stepping in.
“The idea that two governments have to go out and publish this kind of information is a call to action that our current system isn't working as well as we needed to, because all of this information was out there publicly years and years before,” said Lawler.
The coalition could pave the way to government-implemented official standards and procedures for the future of international security and law, according to Brad Arkin, SVP and chief security and trust officer at Cisco. This is the opportunity to provide oversight, whether formal regulation or other, and integrate this topic into government agencies’ conversations — “there's an opportunity to just put this on the list for the first time or higher on the list of priorities within that conversation,” he concluded.