WASHINGTON, D.C. - Use of misconfigured, outdated and end-of-life products can and is resulting in massive vulnerabilities in global network infrastructure security, causing disruptions to both businesses and consumers. A new white paper released today from the Network Resilience Coalition, an alliance composed of technology providers, security experts, and network operators, offers recommendations on how vendors and users of networking products can collaborate to improve the overall security of networks. 

The white paper, “Protecting Network Resiliency” was developed after months of collaboration between industry and security experts through the Network Resilience Coalition, which launched in the summer of 2023 to improve the security, safety, and resilience of the hardware and software that makes up our networks.

This paper marks an important milestone in that effort, providing guidance to improve the security, safety, and resiliency of global network hardware and software and a roadmap for industry and government cooperation on key security improvements. 

Failure to protect network infrastructure not only presents heightened business risks but also poses risks to the technologies that our society relies on to function. Too often, misconfigured or discontinued, end-of-life products are generating a massive attack surface for adversaries, and communication gaps between product vendors and service providers, as well as additional challenges.

According to the paper, the long-term benefits, such as preventing disruptive incidents and enhancing overall network resilience, outweigh the upfront costs of implementing these best practices.

Key recommendations from the report for network product vendors include:

• Align software development practices with the NIST Secure Software Development Framework (SSDF).
• Provide clear and concise details on product “end-of-life,” including specific date ranges and details on what support levels to expect for each.
• Separate critical security fixes for customers and not bundle those patches with new product features or functionality changes.
• Get involved in the OpenEoX effort in OASIS, a cross-industry effort to standardize how end-of-life information is communicated and provide it in a machine-readable format.

Purchasers of network products should:

• Favor vendors that are aligned with the SSDF, provide clear end-of-life information, and provide separate critical security fixes.
• Increase cybersecurity diligence (vulnerability scanning, configuration management) on older products that are outside of their support period.
• Periodically ensure that product configuration is aligned with vendor recommendations, with increasing frequency as products age, and ensure implementation of timely updates and patches.
• Get involved in the OpenEoX effort in OASIS, a cross-industry effort to standardize how end-of-life information is communicated and provide it in a machine-readable format.

“Network resilience is vital for the security of critical network infrastructure on which our economy relies,” said Ari Schwartz, coordinator of the Center for Cybersecurity Policy & Law, a leading cyber-policy focused non-profit that formed the Network Resilience Coalition. “We’re grateful to all of the industry representatives who worked over the past several months to provide key recommendations that will improve the security of critical networks across both the public and private sectors.”

These recommendations, if broadly implemented, would lead to a more secure and resilient global network infrastructure and help better protect the critical infrastructure that people rely on for their livelihood and well-being. 

Founding members of the Network Resilience Coalition include AT&T Inc., Broadcom, BT Group, Cisco Systems Inc., Fortinet, Intel Corp., Juniper Networks, Lumen Technologies Inc., Palo Alto Networks, Verizon and VMware. 

The full white paper can be found on the Network Resilience Coalition’s website here. 

About the Network Resilience Coalition

The Network Resilience Coalition (NRC) was founded in mid-2023 with a vision to improve the security, safety, and resilience of the hardware and software that makes up our networks. Members consist of companies that are either vendors of networking hardware and software, or consumers and deployers of those products. Together, these members are working towards a shared goal of uplifting the entire ecosystem through technological innovation, collaborative standard and best-practice setting, and acting as a resource for policymakers in the space. The NRC is operated under the Center for Cybersecurity Policy and Law alongside similarly collaborative efforts.

About the Center for Cybersecurity Policy & Law:

The Center for Cybersecurity Policy & Law is an independent organization dedicated to enhancing cybersecurity worldwide by providing government, private industry, and civil society with practices and policies to better manage security threats. Established in 2017 as a 501(c)(6) nonprofit, the Center combines policy expertise with convening power to bring industry leaders together with policymakers, form coalitions, and launch initiatives that produce real-world outcomes.

Contact:

Center for Cybersecurity Policy and Law

ccpl@glenechogroup.com

‍