Congress looks to tap big companies like Microsoft to prevent the next SolarWinds cybersecurity disaster, but critics warn that approach could stifle innovation (SWI, MSFT, FEYE)

Kevin Mandia, Sudhakar Ramakrishna, and Brad Smith

Summary List Placement

Last week’s Congressional hearings on the SolarWinds supply chain cyberattacks may result in closer collaboration between big companies and federal agencies – a dynamic that experts warn could discourage badly-needed innovation from newer companies.

As the nation rebounds from one of the biggest hacks in history, the federal government must map a new course for collaboration with the cybersecurity industry. Anne Neuberger, deputy national security advisor and the lead on the government’s SolarWinds response, told reporters in a recent press briefing that “public-private partnership has to be a core part of national cyber defense.”

Accordingly, last week lawmakers held a series of hearings with executives from SolarWinds, Microsoft, FireEye, and CrowdStrike on the effects of the attacks and their aftermath. In those hearings, the companies suggested to lawmakers that they could provide technology to the public sector that would help guard against similar attacks.

“We must be prepared for even more sophisticated and well-resourced foreign attacks in the future,” Microsoft president Brad Smith told members of the House of Representatives last week. “We will need new measures that are grounded in leadership by the public sector and even more collaboration with the private sector.”

If the government takes this approach, it would stand to give these heavyweights a hefty chunk of the $650 million specifically allocated for “cybersecurity risk mitigation” in the latest version of President Biden’s COVID-19 relief plan, while also strengthening their bonds with Capitol Hill and the public sector at large.

However, that’s an unwelcome notion to some competitors and startup investors, who argue that allocating tax dollars towards those companies — most of whom were themselves breached in the attack — would constitute inviting history to repeat itself. Instead of strengthening the power of already-entrenched cybersecurity players, they suggest, it’s time for the government to consider a new tack to an existing problem.

“The industry participants present in the hearing were those breached or those involved in remediating the breaches,” Todd McKinnon, the CEO of $31 billion cloud-based identity-management company Okta, a competitor to Microsoft, told Insider. McKinnon said the hearings last week lacked “the perspective of a modern, born-in-the-cloud platform that would have created a stark contrast to the platform providers present.”

“It’s a very valid point,” said Steve O’Keeffe, founder of the federal IT news site MeriTalk. “This is an opportunity for the government to take a different approach.”

GettyImages 1186386275

How the government manages the new collaboration will shape response to the hack that shook 18,000 companies and nine major US agencies. Neuberger said upcoming executive action on cybersecurity “gaps” was coming soon, and though President Biden addressed the need for “cutting-edge technology” to address national security in a February memo, investors say a forward-looking strategy to stopping attacks must make room for new ideas. 

“The government has a unique role to play in supporting cybersecurity innovation,” said Nate Ashton, managing director of public policy at the Washington, DC, cybersecurity startup accelerator Dcode, which supports startups including Wickr, SecurityScorecard, and RiskIQ. If the goal is to protect the American people from sophisticated cyberattacks like SolarWinds, “the worst-case approach that the government could take is sticking to traditional contractors,” he said. 

Big companies do provide innovative tools, Ashton said, but much more slowly. Corporations often acquire startups with new advances, bundle those into their products, and make them available years later. “That can be a 10-year gap when the government doesn’t have the latest tools,” he said.

A change is coming to the relationship between tech, cybersecurity companies and government

Lawmakers and companies are also calling for a new, centralized way to share intelligence without liability when major attacks happen. In much the same way that the Federal Aviation Administration sets standards for the air travel industry, government oversight could be coming to the cybersecurity sector.

That means closer working relationships between federal cybersecurity officials and companies – and probably more big federal contracts for the cybersecurity industry’s biggest players and cloud providers that offer security capabilities.

Big cloud vendors like Amazon Web Services or Microsoft could benefit, according to Alex Rossino, an analyst at government contracting research firm Deltek. Those firms “have the deep pockets to be able to make sure they provide the best kind of upgraded security,” Rossino told Insider.

“IT modernization can also help with the implementation of cyber hygiene best practices, including supply chain risk management. There is no question that using cloud services for identity management can also be safer and more secure than on-premises identity systems,” Smith said in his written testimony to the Senate last week.

Critics say that relying on bigger tech companies will stifle the innovation the government needs

But those big companies may not bring the innovation the government needs, and not right away, some experts say.

For instance, AI-based “threat-hunting” involves computer programs “learning” what is normal network behavior, and when a deviation could be a hack. Adoption of that trend could benefit companies like DarkTrace, SentinelOne, and CrowdStrike, O’Keeffe and other experts say. 

“The US government should support threat-hunting as a way to keep us ahead of our adversaries,” said Udi Mokady, the CEO of CyberArk, which protects access to privileged user accounts, including those used in government. 

Okta, CyberArk, and others believe the government must pursue a “zero trust” approach based on continual authentication of all users and artificial intelligence that constantly searches for security issues — the same approach recently advocated by the NSA to secure enterprise networks. Microsoft and other bigger companies also provide zero trust solutions, but startup advocates hold that the state-of-the-art is often set by companies that specialize in each area, a scenario often referred to in cybersecurity as “best in breed.”

Other new approaches, such as building security into software development so vulnerabilities are not created in the first place are also needed, some say. “A federal agency dedicated to sharing threat intelligence would be a step in the right direction but will not be a silver bullet solution,” said Manish Gupta, CEO of ShiftLeft, a developer-security company. Experts say Snyk, Uptycs and other startups could help the government get ahead of that trend. 

Smaller companies aim to find their niche for government funding

Federal funding is coming, and smaller companies are working to find their place in line.

The latest version of Biden’s $1.9 trillion COVID stimulus package, currently working its way through the Senate, includes $850 million for cybersecurity initiatives. $650 million of that would be dedicated to the Cybersecurity and Infrastructure Security Agency for “cybersecurity risk mitigation,” and $200 million for hiring experts at the US Digital Service and federal CISO office.

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework, which requires government contractors adhere to standard cybersecurity practices validated by independent auditors, could be extended to other government agencies soon, officials said. Since the rules have been announced, small businesses have hoped they will help them stand a chance against larger contractors.

Regardless of the funding outcomes, Ashton, policy director for the cybersecurity startup accelerator Dcode, said it’s crucial that government and industry address risk — not just compliance.

“Buying the same old cybersecurity systems might address compliance, so you can show your boss you checked all the boxes,” he said. “But that won’t stop the cyberattacks of the future.”

Join the conversation about this story »

NOW WATCH: What would happen if you jumped off the International Space Station

Related posts