The MSP downstream cyberthreat paradox: Understanding the city and county connection

Recently the Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI, NSA, and international cyber authorities issued a cybersecurity advisory aimed at protecting managed service providers (MSPs) and their customers. This high-level advisory has been gestating for some time ever since the SolarWinds and Kaseya supply chain cyber-attacks. A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.

This backdoor-type cyber-attack has been problematic for public entities—especially local governments whose defenses are not geared towards such intrusions. Afterall, the service provider is considered a trusted source.

Even before we became aware of a supply-chain attack, local governments have struggled with keeping up with the latest tools of the trade due to insufficient funding as well as trying to maintain, train, and attract IT and cyber talent. The remedy it seems is to turn to MSPs to supplement their cyber defenses or to turn over most of the IT functionality with the hope and expectation their systems may be better managed and protected. Afterall, the MSP can modernize and update their systems and spread such costs over a growing customer base.

So as the dependence on MSPs grows, many have expressed concerns that some or many MSPs may not be keeping up either.

In the just-released advisory, CISA’s Director Jen Easterly stated, “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

The advisory calls on MSPs to:

• Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.
• Enable monitoring and logging, including storage of most important logs for at least six months, and implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/
• Secure remote access applications and enforce multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems.
• Develop and exercise incident response and recovery plans, which should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
• Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.

The advisory listing sounds rather familiar when viewed as a composite of best practices. And such best practices can apply as much to local governments as it does MSPs. In fact, if more local governments were able to fully implement this guidance in its entirety there would be less need to turn to MSPs in the first place. So here is the paradox—as local governments increasingly turn to MSPs they are mostly doing so expecting greater protections across the board. All too often they assume their MSP is providing all the necessary protections. And to be fair, many do provide state-of -the art protections. Smaller MSPs have weighed in by saying they offer many such protections however some customers have balked at the higher price of service and opt for cheaper alternatives. Other MSPs have said that the advisory is certainly something that sets the bar higher as to what is considered ideal. But it can’t happen all at once for many reasons, chief among them is increased cost. In the end, local government may have to accept the higher cost that is passed down. After all this is certainly becoming the cost for doing business which includes the extra expense to provide adequate protections for their governmental systems. Just how well the advisory will be received by MSPs is yet unclear.

While the CISA Advisory is aimed primarily at MSPs and the customers they serve, local governments may find this to be a highly useful assessment tool they can use as either a framework or a checklist to assess the kind of cyber protection they are getting or to compare what various other MSPs provide by way of cyber protection.

Local governments have been caught downstream for some time and it’s time to build the much-needed cyber defense dams.

Dr. Alan R. Shark is the vice president public sector and executive director of the CompTIA Public Technology Institute (PTI) in Washington D.C. since 2004. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. Shark is as associate professor for the Schar School of Policy and Government, George Mason University, and is course developer/instructor at Rutgers University Center for Government Services. Shark’s thought leadership activities include keynote speaking, blogging, and the bi-weekly podcast called Sharkbytes. He is the author or co-author of more than 12 books including the nationally recognized textbook Technology and Public Management and CIO Leadership for Cities and Counties.