NSA Cybersecurity Alert Prompts the Question: Is Your Organization at Risk?

On Oct. 20, the National Security Agency (NSA) issued a remarkable alert on cybersecurity, revealing 25 specific vulnerabilities that Chinese state-sponsored actors are currently using to steal data, intellectual property, and trade secrets from American companies.

Why is this so important? And what should directors do?

Most directors are familiar with cybersecurity now and likely know what a software vulnerability is. (Note: a vulnerability is a software “weakness” that can be exploited by a threat actor to gain access to a computer system.) But they may also have been lulled to sleep over the years by news and research outlets continuously emphasizing just how important it is to patch software vulnerabilities. Furthermore, many directors have probably seen a board report from their company’s chief information security officer (CISO) showing that their organization has hundreds—or maybe even thousands—of unpatched vulnerabilities. They’ve probably heard from the CISO that many organizations have significant numbers of unpatched systems, but that they should not worry—vulnerabilities are often scored on a severity scale of zero to 10, and most vulnerabilities won’t be exploited by malicious actors. Directors may be comforted by this and the reality that most organizations struggle to manage vulnerabilities through regular patching.

Now, the NSA alert sends a clear message to directors: It’s time to focus on how your organizations manage and mitigate vulnerabilities. And despite everything else going on in the world right now, these 25 vulnerabilities must be addressed immediately because they are being actively exploited by a malicious actor during a time of only increasing geopolitical tension between China and the United States.

Directors should engage with their security and risk teams as soon as possible to answer the following two critical questions:

1. Have we patched these vulnerabilities within our own organization?

2. Have our third-party suppliers, business partners, and vendors patched these vulnerabilities within their organizations?

Directors must engage on this issue immediately because data suggest that there are many companies out there with systems that are vulnerable to these risks. Recently, BitSight published research focusing on four major remote-access vulnerabilities identified in the NSA alert. (Remote access means that vulnerabilities can be exploited by a remote attacker.) The research shows how prevalent these four vulnerabilities are across various sectors of the economy and across countries.

It is critical that directors determine how these vulnerabilities affect not only their organization, but the broader supply chain on which their organization is dependent. There have been countless breaches in recent years involving attackers targeting an organization’s weakest links—usually, the third-party business partners to whom they have provided sensitive information. Directors must ask their security and risk leaders how they can verify whether these NSA vulnerabilities have been patched and addressed by the members of their supply chain. It is no longer reasonable to trust that partners will do the right thing.

The NSA alert is truly a call to action for directors. By identifying and mitigating these critical risks within your own organization and your broader business ecosystem, your company can decrease its likelihood of becoming the next victim of a state-sponsored cyberattack.