Technology companies are having to adapt to increasing regulatory pressure from government around cybersecurity, according to SolarWinds.
SolarWinds’ head of government affairs, Chip Daniels, said governments in the both the UK and US realise they need to change their engagement with tech firms to combat cyber threats more effectively.
Daniels said one the main reasons is because of SolarWinds’ Sunburst cyberattack. The 2020 supply chain cyberattack affected at least 100 US companies, nine federal agencies and six EU institutions and agencies.
“For decades, we’ve operated under the assumption of security. Now you’re seeing that flipped, [with] terms like zero trust architecture. All that really means is I no longer assume that things are secure, and I’ve got to adapt my processes accordingly. And that’s a philosophical change in the way we view security, he said.
“It took incidents like Sunburst and ransomware attacks around the world to make us all realise this isn’t going away. This is only going to increase.”
Compliance-led vs. Trust
Daniels said the attack has led to more transparent communication between SolarWinds and government agencies. At the same time, there has been an increase in guidance coming from the US federal government to firms like SolarWinds for developing secure software. However, there are some differences to Europe.
“One of the differences I’m seeing between the US and the UK is the US is taking a more compliance-focused approach,” he said. “And there’s disagreement in the government; there’s folks in the US, that want this to be about a trusted private public partnership. There’s other agencies that are sending out checklists, ‘you must comply with these checklists.’
“What I saw in Europe was more of a relationship between the customer and the vendor, a discussion about security. Customers are asking vendors, ‘Hey, show me how you’re doing this. Or how you’re producing your software. And when we’ve developed trust together, then we’ll go forward.’
If you liked this content…
“So it’s more about a trust relationship that vendors and customers want to develop in the long run, instead of a simple transactional business model, which our company has grown up on. So it’s a change for us.”
Different approaches from government
One challenge, said Daniels, is that different government agencies will try to tackle the problem of cybersecurity in different ways.
“There’s not a consolidated approach. There’s all this guidance coming from different agencies saying, ‘here’s how we would like to see you develop secure software, if you’re a US federal agency, you must comply with these things in order to buy software, etc.’ We’ve got to pay attention to all that now, that could be an opportunity or a threat.”
Going into 2023, Daniels said SolarWinds has active programmes to address government requirements, which informs product development team and its security teams.
“We have the opportunity to get out in front of this and tell our customers or potential customers that we’re already meeting these guidelines.”
Last year US Senator Mark Warner called for Europe and the US to work together to develop common cybersecurity standards. He asked EVP of the European Commission, Margrethe Vestager, for greater collaboration, adding that Europe and the US needed to share more information concerning “first-tier adversaries” such as Russia and China.
The UK government recently announced that IT managed service providers (MSPs) will be treated as critical service providers brought into scope of Network and Information Systems (NIS) Regulations to counter supply chain threats.
