The MSP downstream cyberthreat paradox: Understanding the city and county connection

Recently the Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI, NSA, and international cyber authorities issued a cybersecurity advisory aimed at protecting managed service providers (MSPs) and their customers. This high-level advisory has been gestating for some time ever since the SolarWinds and Kaseya supply chain cyber-attacks. A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.

This backdoor-type cyber-attack has been problematic for public entities—especially local governments whose defenses are not geared towards such intrusions. Afterall, the service provider is considered a trusted source.

Even before we became aware of a supply-chain attack, local governments have struggled with keeping up with the latest tools of the trade due to insufficient funding as well as trying to maintain, train, and attract IT and cyber talent. The remedy it seems is to turn to MSPs to supplement their cyber defenses or to turn over most of the IT functionality with the hope and expectation their systems may be better managed and protected. Afterall, the MSP can modernize and update their systems and spread such costs over a growing customer base.

So as the dependence on MSPs grows, many have expressed concerns that some or many MSPs may not be keeping up either.

In the just-released advisory, CISA’s Director Jen Easterly stated, “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

The advisory calls on MSPs to:

To read the complete article, visit American City & County.