Cybersecurity has become a critical component of running a productive and profitable organization. It’s therefore no surprise that geopolitical tensions have crept into cyberspace. Nation-states have been using cyberwar tactics against each other for as long as it has been possible to do so. But over the last few years, as foreign affairs have grown more contentious between certain nations, governments have been forced to take action.
Now, before we dive in, let’s take a step back and look at the big picture: Cyberspace does many things very well, not the least of which is blurring geographic borders.
This offers some incredible advantages. For organizations hiring remote workers, it means they can seek out and hire top talent, regardless of where they live. For other companies, cyberspace introduces avenues for innovation. There are fewer constraints on where a product can be made or from where a service can be offered. Individuals and businesses have thrived because it’s so much easier to create in a world that provides reliable connectivity and sharing mechanisms. This openness has allowed many industries, cybersecurity being one of the most prominent, to boom.
Yet, while innovation and opportunity abound, it is also impossible to ignore geopolitical and sociopolitical issues in the business world. In the U.S., any company with Foreign Ownership, Control, or Influence (FOCI) must abide by certain business practices if they want to sell to the U.S. Federal Government. These practices protect national interests and provide a degree of protection against wrongdoing by foreign individuals with malicious intentions. Of course, maliciousness doesn’t stop at local, state, or federal borders, but FOCI is an oversight mechanism that helps mitigate overt surveillance, espionage, and unlawful influence.
Cautious optimism
Most cybersecurity professionals operate with a healthy dose of skepticism. We’ve seen too much borderless nefariousness to be too trusting. Because of this, the industry has worked with government entities over the years to help them understand the risks. They, too, have thus developed an approach that can be best described as “cautious optimism”.
Back in 2017, the U.S. Federal Communications Commission (FCC) banned organizations from purchasing Kaspersky Labs software with federal funds. Several Chinese manufacturers were also included on that list, which is kept up-to-date to this day. China, for its part, has given the U.S. and several other nations cause for concern. Both Chinese-based Huawei and ZTE have reportedly written backdoor access into their products, and this, naturally, leads U.S. officials to wonder whether the same thing is going on with other Chinese-made products — including TikTok, which we’ll get to momentarily.
Following suit, the U.S. Secure and Trusted Communications Act of 2019 (H.R.4998) was codified to protect national interests. The regulation “establishes (1) a mechanism to prevent communications equipment or services that pose a national security risk from entering U.S. networks, and (2) a program to remove any such equipment or services currently used in U.S. networks.” The premise is that keeping a published list of companies with potential ties to nation-state activity, or those that fall under government rule in hostile countries, will help both government and non-government business stay more secure.
What this doesn’t mean, however, is that these assets don’t get into organizations’ networks. Or that consumer-grade products and services can’t be purchased by individuals who then may introduce unnecessary risk unintentionally.
Unless you’ve been in hiding for the last several years, you’re probably aware of the current controversy orbiting TikTok, the hugely popular social media company owned by Beijing-based ByteDance. Although the subsidiary doesn’t operate in China, U.S. lawmakers and many cyber-forward individuals are concerned with the national security risks the app poses. With over 150 million U.S.-based users on the platform, there’s significant worry that the parent company could force U.S. operations to harvest data, spy on, blackmail, or impose unwelcome influence on unsuspecting TikTok users. As such, the Biden administration is threatening a total ban on the app in the U.S. unless TikTok spins off from ByteDance entirely. At present, many state and local governments have already prohibited the use of the mobile app on any government-owned devices.
Serious considerations
While there is little evidence that the mobile app is currently being used for malicious purposes, we know that there have been many examples of hardware, software, and services (i.e., assets) being used for nation-state crimes. Hence the government regulations.
For what it’s worth, the U.S. isn’t the only government body restricting foreign adversary assets. China started banning foreign hardware and software in 2019, and Russia banned foreign software for critical infrastructure and messaging apps more recently. Several other countries also restrict what their citizens can see and access on the internet.
Create reliable processes
All organizations, whether in the public or private sector, need to take proactive preventative measures to comply with government regulations and ensure they aren’t unnecessarily exposing themselves to foreign interference. To start, IT and security teams must know what assets are on their networks and on users’ devices. This means creating an end-to-end process for identification, monitoring, triage, and remediation. Things can get tricky when considering the vast SaaS and mobile app landscapes that toe the line between personal and organizational use.
For instance, many U.S. states have banned TikTok from being installed on government-owned and operated mobile phones. But that in no way means that government employees can’t have personal devices that access the app, or that their personal device isn’t being used for work purposes. Users always find ways around restrictions.
This is especially worrisome when IT and security teams don’t have the tools to gain visibility into what’s running on their networks or where users are logging into third-party apps using work credentials on personal devices. Vulnerability scans have blind spots. Endpoint agents may not be installed on personal devices. Traffic sniffers will miss any off-network activity. So the only true solution is tying together all the tools that collect data about users, devices, software, hardware, SaaS applications, access, behavior, and vulnerabilities — otherwise known as cybersecurity asset management and SaaS management. If you want to be more specific: Axonius.
Eliminate unapproved assets and apps
Axonius is the only cybersecurity asset management and SaaS management company to offer complete visibility and management of all asset types (users, devices, software, hardware, SaaS applications, and vulnerabilities) in one solution.
Out of the box, Axonius offers the most pre-built adapters (a.k.a. technology integrations), making it fast and easy for any company to connect their already-deployed technology instantly. But it’s not just data collection. The Axonius normalization, deduplication, and correlation engine ensures that our customers have a credible, reliable single source of truth for all assets and asset-related vulnerability — because at the end of the day, knowing is just half the battle. Organizations have said, unequivocally, that they need mechanisms to find, understand, prioritize, and quickly remediate the most dire vulnerabilities — including the aforementioned banned or restricted software.
Identifying unapproved software or users accessing unmanaged or restricted apps requires fast action, so it’s imperative to gain a holistic picture of the technology environment, including any downstream impacts caused by connections or dependencies. This is true especially if the organization suspects users are accessing banned or restricted software or applications.
If it’s expediting the removal of software or device access, Axonius offers that capability too, directly from our Enforcement Center. Customers can set up automated helpdesk tickets, notifications, or take more direct actions on devices, users, and apps, themselves.