On Friday, we discussed the Microsoft breach. That story continues, as Microsoft is facing further criticism for its cybersecurity practices after a significant breach targeting its Azure platform, which resulted in the theft of sensitive emails from US government officials.
A new congressional committee is investigating the recent Microsoft-related breach of government email accounts. The House Oversight Committee sent letters to the Commerce Secretary and the Secretary of State requesting a staff briefing on the incident before Aug. 9. Microsoft competitors have started calling out their disgruntlement with the tech giant’s cybersecurity practices, with Tenable CEO Amit Yoran harshly criticizing Microsoft for failing to patch a critical vulnerability. He further accused Microsoft of a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government.
It wasn’t a good weekend for security, as the FBI is investigating a ransomware attack on hospitals in several US states, causing emergency rooms to shut down and ambulances diverted.
The Cybersecurity and Infrastructure Security Agency (CISA) has released its strategic plan for fiscal years 2024 through 2026, which aligns with the Biden administration’s focus on improving the nation’s cybersecurity preparedness. The plan focuses on three goals: addressing immediate threats, hardening the terrain, and driving security at scale, with nine objectives outlining the agency’s scope for the next three years.
And don’t be dismissive of these government moves. A report by Sonatype has shown that 76% of organizations in the UK and the US have adopted a software bill of materials (SBOM) since President Biden signed an Executive Order to improve software supply chain security—another 16% plan to do so in the next 12 months. SBOMs are becoming a key procurement requirement, with 60% of respondents making it a contractual condition that suppliers maintain an SBOM.
Why do we care?
Color me hopeful on a Monday. That software bill of materials EO was signed back in May of 2021. Two years later, it’s being implemented extensively. Investigations now may take another two, three, or four years to have results. That’s still results. Regulatory compliance remains an active, significant opportunity quickly becoming table stakes.