Some of the biggest names in IT and service providers including AT&T, Cisco Systems, Fortinet, VMware and Intel today launched an industry group promising solutions that improve the security of data and IT networks.
Called the Network Resilience Coalition, they hope to solve two of the biggest problems for CIOs, CISO and network administrators: The failure to install critical updates in a timely manner, and the lack of network visibility so IT staff can spot irregularities.
But they also include bad practices such as hardcoding passwords into hardware and software, and, as one speaker pointed out at a news conference announcing the group, figuring out why a company has good patching of devices in one area of its network and lousy in another part.
Another problem is IT departments that keep unsupported products in their environments or are caught off-guard when manufacturers announce a product is suddenly discontinued.
Technology companies must find ways to address the continued problem of software and hardware updates and patches not being implemented, the group said in a news release, while also encouraging organizations to have better visibility into their networks to better mitigate cyber risks.
One goal: The creation of a report that has clear, actionable recommendations for improving network security for technology providers, technology users, and those creating or regulating security policy.
“Network resilience is vital to the health of our economy and our interconnected world and there is a need to focus on how to improve the security of the larger ecosystem by all sides working together,” Ari Schwartz, co-ordinator of the U.S.-based Center for Cybersecurity Policy & Law and managing director of cybersecurity services at the Washington, D.C. law firm Venable, said in a news release. “Too often we see organizations fall victim to a cyberattack because an existing critical update or patch wasn’t made.”
The Centre is a non-profit that brings together industry leaders with policymakers to find solutions that can help improve the digital security of networks, devices and critical infrastructure. “
Initial group members also include Broadcom, Britain’s BT Group, Juniper Networks, Lumen Technologies, Palo Alto Networks and Verizon.
At a news conference this morning experts talked about problems and possible solutions.
One solution: Legislation. Paul Waller, principal technical director of the U.K.’s National Cyber Security Centre, noted that last year the government passed the Product Security and Telecom Infrastructure Act to encourage hardware and software manufacturers to share information about the security management of IoT devices.
The regime, which comes into effect next April, will require manufacturers of U.K. consumer connectable products to comply with minimum security requirements.
The U.K. is also encouraging developers to join a security-by-design program to get them to code applications better. Reducing the number of vulnerabilities should reduce the number of patches issues.
In Canada, the government’s proposed Critical Cyber Systems Protection Act plus proposed changes to the Telecommunications Act would put obligations on critical infrastructure providers.
During a press conference panel discussion Brad Arkin, Cisco Systems’ chief security and trust officer, noted that in 2017 Cisco issued a particular patch for one of his company’s products, followed in early in 2018 by issued an advisory that the vulnerability was being exploited.
Still in April of this year five years later – American and U.K. cybersecurity agencies had to publish a warning that threat actors are still exploiting the unpatched product. “It shows that our current system isn’t working,” he said.