Back-to-back reports from two groups of White House advisors have shined a spotlight on the need for U.S. critical infrastructure operators to take a more proactive approach to cybersecurity – including security testing.
Early this month, the President’s Council of Advisors on Science and Technology (PCAST) – a group that includes members from industry, academia and the private sector – released its Strategy for Cyber-Physical Resilience, recommending the Biden administration hold executives responsible for good cybersecurity practices while fortifying critical infrastructure networks against fast-moving threats. PCAST called for “developing greater industry, board, CEO, and executive accountability to ensure that infrastructure is reliable and resilient,” while highlighting the need for “stress testing” highly complex cyber-physical systems like those that underpin our power grid and oil and gas networks.
On March 7, the President’s National Security Telecommunications Advisory Committee (NSTAC) advanced its own draft report to the White House on measuring and incentivizing the adoption of cybersecurity best practices, with an eye toward bridging the gap in cyber investment from critical infrastructure organizations.
Taken together, the NSTAC and PCAST reports offer a compelling case for security testing to find and fix critical vulnerabilities before they enable attackers to wreak havoc on global infrastructure. And they underscore “secure by design” software principles that Synack, as the premier penetration-testing-as-a-service (PTaaS) provider, is proud to support by comprehensively testing internet-connected customer assets.
“The big technology manufacturers need to design, develop, and deliver products that measurably decrease the number of exploitable flaws and defects, frankly, and prioritize security over speed to market and features and driving down costs,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said at an event on the PCAST report Wednesday hosted by the Foundation for Defense of Democracies. “Because that’s why we’re in this reactive mode trying to ensure that we can keep infrastructure safe.”
Pentesting is an essential part of any mature security program, and it falls squarely in the proactive rather than reactive camp. Many critical infrastructure organizations lean too heavily on reactive tools centered on detection, response and recovery. While these capabilities play a vital role in cyber defense, they aren’t geared toward staying ahead of cyber adversaries.
But how often should organizations pentest their networks? When should they turn to PTaaS solutions, and what should they consider when choosing a PTaaS provider? The answers depend on a host of factors, from the complexity and rate of change of the attack surface to the strictness of the regulatory environment.
The authors of the NSTAC report – including representatives from Microsoft, Lockheed Martin, Oracle and Palo Alto Networks – keyed in on the lack of clarity surrounding pentesting requirements laid out by regulations like NIST 800-53, DFARS 7012 and the Securities and Exchange Commission’s recent cyber incident reporting rule.
“Requirements specifying the frequency for performing vulnerability scanning are highly variable including ‘regular,’ quarterly, annually, risk-based, and when hardware or software changes occur,” the NSTAC report said. “Very often clarity on scope is not included; for example, which assets need to be included—internal and/or external networks, web applications, information systems, ports, services, etc.”
Helping Critical Infrastructure Succeed with Security Testing
At Synack, we believe that organizations’ most critical, frequently-updated assets should be tested on a continuous basis. Given the speed of modern software development life cycles, once- or twice-a-year pentests aren’t enough to pick up on potential vulnerabilities that could linger for months before they’re fixed. The traditional way to pentest can leave huge security gaps that some White House advisors clearly find to be unacceptable.
The Synack Platform enables customers to comprehensively test their web apps, host assets, APIs and even AI and large language models. Drawing on the collective expertise of the global Synack Red Team, a vetted community of over 1,500 security researchers, the Synack approach to security testing is uniquely positioned to continuously find and root out exploitable vulnerabilities.
To the PCAST report’s concerns about executive accountability, the Synack Platform also includes detailed analytics on coverage during testing and more widely helps organizations identify and address the root causes of common vulnerabilities. When auditors, regulators or board members come knocking, executives can show how thoroughly in-scope assets were tested, down to the number of hours Synack Red Team members spent on-target.
The NSTAC and PCAST reports offer an important window on some of the most pressing challenges facing the cybersecurity industry today. And while there may be no silver bullet for solving the shortcomings the White House advisors identified, public and private sector organizations aren’t helpless in the constant battle against cyberthreats. To learn more about how Synack can ease pressure on your security teams, click here or schedule a demo.
