Is the US Federal Government Increasing Cyber-Risk Through Monoculture?

Could the US federal government inadvertently be fueling perfect storm conditions for another unprecedented cyber incident that would have widespread implications for federal, state, and critical infrastructure services, similar to the recent CrowdStrike outage? 

Setting the Stage

The US State and Local Cybersecurity Grant Program (SLCGP) provides funding to eligible entities to improve cybersecurity posture and reduce the risk of a cyberattack. This is, of course, good, as many public entities have lacked the budget necessary to have a cybersecurity posture suitable to protect the personal data or services they provide.

Prior to this funding, each entity would make their own decision on cybersecurity and need to fund it from existing budgets. For example, a school district may select a vendor based on services and price, the neighboring school district could choose a different vendor, and so on. For the financially frugal, this would seem like a bad solution. If entities were to group together and use a single vendor, they would get bulk purchase discounts and lower the amount of tax dollars spent. 

But ask a cybersecurity professional to describe the best cybersecurity posture and they will use terms like "defense in depth" or "layers of defense." This refers to the use of multiple technologies, and in most cases multiple vendors, in order to thwart potential attacks, or incidents such as CrowdStrike's single corrupt driver causing a global outage at multiple major companies. 

When the SolarWinds cyberattack unfolded there were 33,000 private, federal, and state users of the technology, with about 18,000 installing the malicious update. The backlash of this supply chain attack resulted in new regulation on improving supply chain security, and this continues to play out today. While the attack was devastating, it was not a cyber-Armageddon event, as states, entities within states, federal agencies, and such were using a diverse set of solutions from different vendors.

The recent, unfortunate incident suffered by CrowdStrike customers highlights how devastating a single vendor issue can be, with just 8.5 million devices affected globally (representing less than 1% of Windows devices) causing mass global disruption to airlines, healthcare facilities, businesses, and more. 

Creating a Monoculture

Now consider the offer of SLCGP, which gives free money to spend on cybersecurity — it's like moths attracted to a light. A state can apply for funds from the grant to cover multiple entities within its jurisdiction. Once granted, a vendor is selected and offered to entities statewide, either free or highly discounted due to volume licensing. This creates a monoculture cybersecurity environment, or a perfect storm for a major cyber incident, where if the primary vendor is attacked or has a significant vulnerability exploited, it could take out the entire state's services, every school district, local government administration, etc. The effect on everyday society could be devastating. 

The SolarWinds and CrowdStrike incidents demonstrate, on a limited scale, that when a single vendor suffers an incident of some type, if there are enough affected parties, the incident becomes significant, and if they are all grouped in a single state, it becomes a major incident.

If a single vendor becomes the de facto standard for states that apply for SLCGP (a good possibility: I personally know of some organizations that have been rolled into a standard solution as part of a no-cost, or near-no-cost, state solution)

To put this in context, there are approximately 50 million US children of school age. If 90% of states are customers of one solution, and this includes state-funded education, the impact of a cyber incident would see 45 million children's educations being disrupted. And in some instances, schools have suffered significantly when hit by a cyber incident — requiring closure for potentially months. And education is just one area affected by single-vendor risk.

The SLCGP appears to be creating a new monoculture environment, on a scale that could make the previous incidents pale into insignificance. Monoculture is a term typically used in farming. In brief, it is about crop rotation — diversity in planting in order to protect both the crop and the fields in which the crops are planted. If a single crop is planted in the same field over several seasons the outcome results in bad yield. 

Promoting Diversity in Cybersecurity

In 2015, an academic paper detailed the issues of monoculture cybersecurity relating to the use of antivirus (AV) products. It concluded that "lowered infection rates were positively correlated with higher rates of AV activity, stable AV product usage and status, and AV product diversity." The importance of a diverse product selection prevents a single incident, whether malicious or unfortunate, from causing a catastrophic outage. 

The actions by states to standardize on a single product using the SLCGP is creating a dominant security product scenario that causes monoculture, a default standard for cybercriminals to attack. Cybercriminals need to look for a weakness in only one product, or to discover an exploitable vulnerability, to affect a significant portion of services, potentially affecting the entire population of a state.

The solution is to promote, and require, diverse layers of defense architecture, and this should be a requirement of receiving SLCGP funding.