A trio of major cybersecurity companies on Monday announced that they’re offering free cybersecurity services and support to vulnerable industries for four months.
Under the new Critical Infrastructure Defense Project, companies in particularly vulnerable industries — such as hospitals and water and power utilities — will have access to the full suite of Cloudflare’s Zero Trust solution, CrowdStrike’s endpoint protection and intelligence services, and Ping Identity’s Zero Trust identity solutions.
In addition, the project includes a roadmap with step-by-step security measures that any business can follow to protect themselves from cyberattacks.
“We rely on our infrastructure to power our homes, to provide access to water and basic necessities, and to maintain critical access to healthcare,” Cloudflare Co-founder and CEO Matthew Prince said in a statement.
“That’s why,” he continued, “it’s more important than ever for the security industry to band together and ensure that our most critical industries are protected and prepared.”
“This is first and foremost a public service initiative to secure the endpoints and data of some of the most important critical infrastructure entities in the country,” added Co-founder and CEO of CrowdStrike George Kurtz.
Equal Parts Altruism and Marketing
Gartner Research Vice President Katell Thielemann noted that similar security offers were made as the Covid pandemic spread. “From the vendor standpoint, they are equal parts altruism and marketing — but these companies should be praised for their efforts to help the community,” she told TechNewsWorld.
“From the end-user standpoint, they can be very helpful, whether to bolster their security posture or to simply try new services,” she added.
Thielemann cautioned end users to “read the fine print” before entering into any agreements, deploy services with care and have an exit strategy if things don’t work out or the price of post-offer services is too high.
“Cloudflare, CrowdStrike, and Ping Identity are leaders in the security space. By providing their solutions to operators at no cost for four months, they are removing one of the common barriers to entry for these companies,” observed Kevin Dunne, president of Pathlock, a unified access orchestration provider in Flemington, N.J.
“However, the biggest barrier to entry is usually the cost and friction to implement these solutions, especially without the required know-how or readiness that often impacts these vulnerable industries,” he told TechNewsWorld.
“So,” he continued, “while not a drawback per se, organizations should understand that receiving the solution at no cost does not mean that they can derive value and protection without cost.”
Boost to Zero Trust
Purandar Das, CEO and co-founder of Sotero, a data protection company in Burlington, Mass. noted that the Critical Infrastructure Defense Project could be a big benefit to companies on the fence about implementing a security program.
“Obviously, any safety measures are valuable in times such as these,” he told TechNewsWorld. “If this offer helps organizations get over any budget and timing limitations they have had, this could help them secure themselves better.”
On the other hand, he continued, they could find themselves getting into a long-term commitment they haven’t budgeted for.
Das added that there could be resource and skill issues, too. “Many organizations, especially legacy organizations, are not moving or have not moved fast enough to keep up with the attack vectors that have evolved,” he explained. “Deploying software such as this in a hurry could have both skills-based challenges, as well unintended effects on their infrastructure if not done well.”
Zero Trust — where user, resource and machine activity is continuously monitored for misbehavior — could receive a boost from the project, he maintained. “This could be a big catalyst for organizations to rethink their whole security approach and modernize their security stack,” he said.
These tools are certainly Zero Trust capable, meaning they can help to enforce Zero Trust in environments where it is not yet present, Dunne noted, but it’s important to highlight that Zero Trust is more of a philosophy than a set of tools.
“Even more basic tools can work to enforce Zero Trust when implemented properly,” he said. “Strong security leadership and emphasis on Zero Trust from the top down is required to have success implementing a Zero Trust vision.”
The launch of the Critical Infrastructure Defense Project comes on the heels of a “Shields Up” alert last month by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
“While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyberattacks on [the] Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region,” the alert warned.
“Every organization — large and small — must be prepared to respond to disruptive cyber activity,” it added.
CISA Executive Assistant Director of Cybersecurity Eric Goldstein explained that many organizations, both public and private, are target-rich and resource-poor. “To address this gap, CISA launched a free catalog to help such organizations improve their security posture,” he told TechNewsWorld.
“This initial catalog includes offerings from CISA, the open-source community, and key partners in our Joint Cyber Defense Collaborative like Cloudflare and CrowdStrike,” he said. “Combined with foundational cybersecurity practices, these services can help organizations detect, prevent, and respond to cybersecurity risks.”
Targets for Retaliation
Critical infrastructure providers are at greater risk of cyberattacks now than before the beginning of the Ukrainian war, maintained Das. “The volume of attacks, as well as the frequency, are increasing exponentially,” he said.
“The other risk,” he added, “is that infrastructure providers will become a primary target as a way of retaliating against the sanctions on Russia.”
Dunne added that while the U.S. has not yet seen a major increase in newsworthy breaches since the war began, much of this war is being fought on the cyber battlefields.
“We can expect it is only a matter of time before Russian cyber forces retaliate against the NATO allies that are supporting Ukraine during the invasion,” he said. “The targets most ripe for attack will be critical infrastructure, where much of the IT landscape relies on legacy solutions, and the impact of even a day of downtime can be massive.”
Energy infrastructure, in particular, may be a prime target. “As the U.S. begins to look at eliminating dependence on Russian oil,” Dunne warned, “cyberattackers may target domestic pipelines once more to see if they can cripple the movement of oil and increase reliance on Russian oil imports in the U.S.”