US, allied cybersecurity agencies, advise reviewing contracts with tech vendors

U.S. cybersecurity agencies and others from nations in the Five Eyes intelligence sharing alliance urged organizations to review their agreements with entities they grant system access to for help with various functions.

They noted advanced persistent threat actors’ plans to increase their use of such entities as vectors for attack.

The FBI, NSA and Cybersecurity and Infrastructure Security Agency—along with the United Kingdom’s National Cyber Security Center, the Australian Cyber Security Center, Canadian Center for Cyber Security and New Zealand National Cyber Security Center—issued a joint cybersecurity advisory Wednesday.

“Expect state-sponsored advanced persistent threat groups and other malicious cyber actors to increase their targeting of [Managed Service Providers] against both provider and customer networks,” according to a press release on the advisory. 

“The advisory provides several actions that organizations can take to reduce their risk of becoming a victim to malicious cyber activity,” the release reads. “Additionally, MSP customers should ensure their contractual arrangements specify that their MSP implements the measures and controls in this advisory.”

Attacks involving managed service providers, as defined by the agencies, would include the infamous “SolarWinds hack,” where the IT management firm unwittingly introduced a trojanized update to its customers, which included much of the federal enterprise.

White House officials said nine government agencies were compromised in the attack, which also involved use of Microsoft’s directory system to move laterally across networks with hijacked credentials.

The agencies noted their advisory on managed service providers “does not address guidance on cloud service providers—providers who handle the [Information and Communications Technology] needs of their customers via cloud services such as software-as-a-service, platform-as-a-service, and infrastructure-as-a-service; however, MSPs may offer these services as well.” 

NSA and CISA did weigh in last fall on the responsibilities cloud providers and their customers share when securing the environments, something that creates a degree of anxiety within the federal government.

Officials at the Office of Management and Budget and the General Services Administration have said since the fall of 2020 that they are working to update contracting language to simplify and support agencies’ secure cloud procurement.

“This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data," said Rob Joyce, NSA cybersecurity director. "Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorization.”