How a Community Vigil Approach and Secure by Design are Critical to Software Cybersecurity

By Travis Galloway, head of government affairs, SolarWinds

The threat landscape in cybersecurity continues to evolve at breakneck speed, with new challenges emerging daily. Among the most pervasive threats stem from sophisticated cyberattacks sponsored by nation-states. These attacks are a growing menace to private businesses and public agencies alike, promising severe consequences for our collective security.

Private sector businesses recognize that they can be targets of advanced nation-state hackers seeking to achieve their geopolitical goals. For instance, China has been known to engage in extensive cyber espionage campaigns aimed at stealing technology and intellectual property to overtake the U.S. economy and its businesses. It was recently reported that the Chinese-sponsored Volt Typhoon group also persistently targets vulnerabilities in critical systems like electric grids, water systems, and ports.

These evolving cybersecurity threats to our nation were a central theme at the recent SolarWinds Day: A Trusted Vision for Government IT panel event, where SolarWinds President and CEO Sudhakar Ramakrishna was joined by Congressman Raja Krishnamoorthi, D-Ill., and Christopher D. Roberti from the U.S. Chamber of Commerce.

“It’s a very scary thing if you think about it,” said Rep. Krishnamoorthi, reflecting on the growing nation-state threats facing the United States. “Operation Typhoon is meant to preposition malware in our utilities in water systems, electric grids, you name it.”

During the event, the panelists highlighted several important takeaways for shoring up our shared cyber defenses, supply chain, and other critical infrastructure. The discussion emphasized the importance of public-private partnerships, adopting a “Secure by Design” framework that ensures security is an integral part of the entire software development process, and promoting ongoing cybersecurity education to ensure all levels of an organization share the responsibility of bolstering our shared defenses.

The Enduring Importance of Public-Private Partnerships

Today, no single entity can combat sophisticated cybercriminals and nation-state adversaries alone. As the Cybersecurity and Infrastructure Security Agency (CISA) has highlighted, a collaborative effort among governments, private entities, and individuals is necessary if we are to address ongoing cyberwarfare successfully.

“No company, no matter how big or sophisticated, has a chance against a nation-state adversary,” said Roberti. “Therefore, the U.S. government needs to use its authority and capabilities together with the knowledge and resources of the private sector to tackle the threat.”

Part of this is the increasingly popular concept of a “community vigil,” where government agencies, private sector businesses, and other stakeholders work together to create a secure digital environment. This ongoing collaboration between governments and businesses underscores the significance of community-focused strategies to enhance national cybersecurity. By fostering transparent communication and resource sharing, organizations can reinforce our collective defenses – and harness a collective intelligence much greater than what any could achieve alone.

Setting New Standards Through a Secure by Design Framework

Cyber resilience involves more than just preventing cyberattacks. It also means being able to recover quickly and having strategies in place to detect and manage any breaches. This can be achieved by embracing Secure By Design guiding principles for software security and cyber resiliency. Informed by years of experience from industry-leading cybersecurity experts, the SolarWinds Secure by Design initiative is a gold-plated cybersecurity approach to software build systems and processes that provides an effective and novel defense for thwarting advanced supply chain cyber threats.

The proactive Secure by Design approach embeds security into software systems right from the start. By addressing security early in development, organizations can mitigate risks before they progress into serious threats. There are several ways to put Secure by Design into practical use. Engaging with governmental and regulatory bodies like CISA can enhance the flow of cyber threat information between public and private sectors.

Recently, CISA introduced the Secure Software Development self-attestation form to help organizations declare their cybersecurity commitments in a standardized, formal, and consistent manner. The form serves multiple purposes: it encourages organizations to evaluate their security postures, provides valuable data for benchmarking industry standards, and fosters a transparent environment where enterprises can learn from each other’s best practices.

Integrating Cyber Resilience as a Universal Responsibility

Driving a cultural shift to a Secure by Design posture requires clear communication from the top down that cybersecurity is a shared responsibility, where everyone plays a part in safeguarding the organization’s digital assets. This means that every individual in an organization, regardless of their level of technical expertise, must be aware of their role in maintaining a secure digital environment.

“Security information should be like a utility,” said Ramakrishna. “(Something) everyone should have access to (in order) to protect themselves. It shouldn’t be the job of just a few people.”

However, for this approach to work, ongoing education on the importance of cybersecurity and the steps that can be taken to ensure its success is essential for both technical and non-technical employees. This will help promote awareness and ensure that everyone understands their role and is prepared to play it well.

For executives at the highest level, this education is essential for making informed decisions, understanding how cybersecurity affects the business as a whole, and leading by example in promoting a culture of security awareness. For technical and IT staff, continuous learning helps them stay ahead of emerging threats, understand complex security tools and technologies, and implement best practices for threat mitigation. These initiatives make cybersecurity easier for everyone, even employees in non-technical roles, to understand and stress the importance of good digital practices to reduce human error – one of the primary causes of breaches.

Moving forward, embracing all of these strategies will not only enhance our collective cyber defenses but also set new industry standards – ones that prioritize security and resiliency of the systems we all rely on. As we continue to navigate a landscape marked by the ever-growing sophistication of cyber threats, our success in safeguarding the digital world will depend on our ability to adapt, innovate, and unite under this critical common goal.