Basic cybersecurity standards must start with procurements, experts say

Agencies will avoid becoming victims of future hacks, like the one SolarWinds experienced, by considering the risks of software before they buy.
Jeanette Manfra speaks Oct. 18 at CyberTalks in Washington, D.C. (FedScoop)

Government must do a better job of setting minimum cybersecurity standards when buying IT to avoid more breaches like the ones agencies suffered after the SolarWinds hack, say cyber experts.

Large procurements, in particular, should be used to drive modern security architectures that better protect entire systems, said Jeanette Manfra, director of government security and compliance at Google and a former top official with the Cybersecurity and Infrastructure Security Agency.

If agencies consider the risks of introducing software like SolarWinds Orion to their networks during the procurement process, they’ll also avoid introducing vulnerabilities.

“The government is a very large consumer,” Manfra said during a Center for Strategic & International Studies event Friday. “They need to be driving what those security standards are that they want to see through their procurements.”


While the government should also establish minimum cybersecurity standards for the private sector, experts agreed they should be voluntary and not become a check-the-box activity for companies.

The SolarWinds software supply chain attack began in March and was massive in scale at nearly 18,000 intrusions. At least nine federal agencies were compromised, with the extent of the damage still being assessed.

While the hack was detected in December and widely reported to have been committed by Russia, the reality is that true attribution is ongoing, said retired Lt. Gen. Ed Cardon, senior counselor at the Cohen Group.

All of this points to gaps in information sharing between government and the private sector.

“Info sharing is a pretty broad term,” Cardon said. “Just simple things like worldwide collection of DNS logs, it’s amazing how if we would just do that we could do a lot with attribution. But often those are missing; they’re not collected.”


CISA, which Manfra left in November 2019, continues to make inroads with companies to determine who has the information it needs to avoid specific cyberattacks, she said.

The agency was established to be the central clearinghouse on the civilian side for threat information from the private sector, said Rep. Michael McCaul, R-Texas.

The ranking member on the House Foreign Affairs Committee said he’s planning to introduce legislation establishing a mandatory breach notification system. Breach data could be easily anonymized to protect the companies involved and liability protection ensured, so companies wouldn’t withhold information for fear of lawsuits, McCaul said.

“Some companies don’t report this at all,” McCaul said. “And it’s important we have that threat information to share it not only with the private sector, where 80% of this resides, but across all departments within the federal government.”

Latest Podcasts