SolarWinds Supply Chain Attack Affected 37 Companies in US Defense Industrial Base
In testimony before the US Senate Armed Services cyber subcommittee, Rear Adm. William Chase III told legislators that 37 companies within the defense industrial base were affected by the SolarWinds supply chain attack. Chase also noted that the Department of Defense (DOD) was not affected by SolarWinds or by Hafnium.
Key quote here: “… the Cybersecurity Maturity Model Certification, DOD’s nascent program for improving the cybersecurity of the defense industrial base, would not necessarily have prevented the intrusions.” Maturity models are great for identifying and communicating the most dangerous gaps in security processes but do NOT focus on actual testing and continual monitoring. Simple example: many software vendors that achieved the highest levels on the software Capability Maturity Model continued to deliver code with well-known vulnerabilities. Active monitoring and testing are needed to deal with software supply chain attacks.