On March 21, 2022, the White House published a Fact Sheet urging enterprises to take proactive steps to protect against potential future cyberattacks. BlackBerry commends the White House on its continued Zero Trust cybersecurity focus to increase America’s public and private defenses against escalating malicious cyber activity, which started with the President’s Executive Order “Improving our Nation’s Cybersecurity” (EO) last May.
Upon release of the EO, BlackBerry noted that, while it was a “game changer,” the EO was only the first of many steps that the Administration and Congress would need to take to address the evolving cybersecurity landscape. We stated at the time that “the [EO] in and of itself is not a panacea, even with long-overdue game changers like the SBOM [Software Bill of Materials] requirement. Nor is any other step in and of itself, but they are vital pieces. The true test is whether, and the speed at which, the President and Congress can put together these pieces in a comprehensive way. This includes implementation measures and increasing investment in secure digital infrastructure, commensurate with today’s daunting cyberspace challenges.” (The Hill, May 14, 2021).
Prior to the EO and in the year since, virtually every industry and government entity has found itself in the crosshairs of malicious nation-state actors, cybercriminal enterprises, or other actors intending harm. As the public and private sectors work together to address the elevated cyber threat environment, threat actors are increasingly employing off-the-shelf ransomware-as-a-service (RaaS) and malware-as-a-service (MaaS) tools to execute attacks at scale and with increased frequency. This increase in RaaS and MaaS over recent years – especially targeting supply chains and critical infrastructure – has caused massive disruptions across the U.S. and its allies.
Critical Infrastructure, Critical Risk
As the BlackBerry® 2022 Threat Report states, “few [organizations] carry the same real-world risk from cyberattacks as those in the critical infrastructure sector. The public expects that utilities such as power, gas, water, and waste treatment will always be able to provide these necessary services. As a result, these organizations are ... lucrative targets for ransom and extortion.” The White House Fact Sheet aptly recognizes that government cannot take on these critical infrastructure cybersecurity challenges alone, as the private sector owns and operates much of the nation’s critical infrastructure.
Yet, it is not just critical infrastructure and large enterprises at risk. Rather, enterprises of all sizes are at risk of a cybersecurity breach and/or ransomware attack. In fact, our threat researchers found that small businesses face upwards of 11 to 13 cyberattacks per device per day, a rate much higher than larger enterprises.
Consequently, all enterprises – large and small – must prepare themselves for potential attacks, by taking action to bolster their cybersecurity protections. To this end, the White House Fact Sheet outlines specific steps to proactively defend against potential cyberattacks. Specifically, it encourages technology and software companies to quickly:
“Build security into your products from the ground up — ‘bake it in, don’t bolt it on’ — to protect both your intellectual property and your customers’ privacy.”
“Develop software only on a system that is highly secure and accessible only to those actually working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.”
“Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.”
“Software developers are responsible for all code used in their products, including open source.… Make sure developers know the … origin … of components they are using and have a ‘software bill of materials’ in case one of those components is later found to have a vulnerability so you can rapidly correct it.”
“Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed. We encourage you to follow those practices more broadly.”
As the White House states, modern “automated tools” are essential to an enterprise’s prevention-first cybersecurity toolbox. Consistent with the Fact Sheet, BlackBerry underscores the importance of artificial intelligence (AI) and machine learning (ML) to defend against cyber threats. Among many benefits, the best AI/ML-driven security tools can effectively identify and block previously unknown and undetected threats before they execute. This is what BlackBerry calls the predictive advantage of AI/ML-driven cybersecurity tools.
Also noteworthy is the White House’s emphasis on G7 countries working together “to hold accountable nations who harbor ransomware criminals, and tak[e] steps with partners and allies to publicly attribute malicious activity.” BlackBerry concurs.
At the B7 (business counterpart to the G7) summit last May in London, I had the honor of delivering remarks on behalf of BlackBerry. My remarks noted that “cybersecurity is one of the G7’s most pressing challenges to our shared democratic values and safety. One only has to utter Colonial Pipeline, SolarWinds, Microsoft Exchange, the Hackney Council, EasyJet, Ducks Hospital, the Canadian Revenue Agency, Dusseldorf University Clinic, the Italian Social Security Service, and Honda to send chills down the spines of G7 government leaders and the organizations targeted.” And I urged the G7 to “prioritize cybersecurity in its agenda and … bolster our nations’ collaborative global digital leadership on cybersecurity policy, research, global standards and investment.”
In sum, BlackBerry welcomes the White House’s commitment to policies that elevate and invest in cybersecurity. We applaud the Administration’s focus on a prevention-first, public-private, and G7 collaborative approach to cybersecurity policy. BlackBerry stands ready to help government agencies and enterprises of every size and sector to bolster their cybersecurity defenses in line with the White House Fact Sheet’s urgent guidance.