The North Carolina Bar Association recently shared an article written by privacy and data security attorney Peter McClelland on its Bar Blog.
In the post, Peter details how to manage risk in technology supply chains. It follows a massive data breach caused by the hacking of SolarWinds, which compromised the information of thousands of individuals and organizations across the country.
From the article:
In December 2020, as many of us were watching all things political and pandemic, current events eclipsed a serious breaking story. The SolarWinds hack exposed a level of data across the nation that was — to use the oft-turned phrase for 2020 — “unprecedented.” Not to be outdone, 2021 has now given America a data breach through the Microsoft Exchange email software that (conservatively) affected 60,000 organizations, spanning every level of size and sophistication.
Responding to the SolarWinds breach, Representative John Katko — the Ranking Member of the House Homeland Security Committee — announced five “pillars” that he believes will support the Homeland Security Committee’s cybersecurity legislation in the next two years. These pillars are 1) reorganizing the roles of key government agencies and roles; 2) addressing third-party risk; 3) identifying “concentrated sources of risk” within the government’s tech supply chain and requiring vendor certification; 4) driving software assurance; and 5) mounting a “muscular” national response to cyberattacks. We can only imagine the response that will be called for after the Microsoft Exchange hack.
The bulk of these pillars largely fall under the umbrella of revamping the way the United States government manages supply chains. The SolarWinds hack rocked the assumptions many in government held about the security of their own systems, in no small part because the SolarWinds hack seems to have begun entirely outside of the federal government’s control and was imported by trusted software.
Read the full article, titled "Managing Risk in Technology Supply Chain after SolarWinds, here.