On May 12th, President Joe Biden signed an Executive Order on Improving the Nation’s Cybersecurity to encourage the nation’s cybersecurity and protect critical infrastructures and Federal Government networks elemental to the nation’s economy and way of life.
Recent cybersecurity events such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incidents were a major reminder that U.S. public and private sector bodies face increasingly sophisticated malicious cyber activity from both nation-state actors and cybercriminals. These incidents have shared similarities, like insufficient cybersecurity defenses that leave the private and public sector entities vulnerable to incidents.
This Executive Order makes an important contribution toward modernizing cybersecurity defenses by protecting the federal networks, improving information sharing between the U.S. government and the private sector on cyber issues, and enhancing the United State’s ability to respond to incidents when they occur. This is the first of many ambitious steps the Administration is taking to modernize the national cybersecurity defenses. However, the Colonial Pipeline incident was a big reminder that only federal action is not enough. A considerable part of America’s domestic critical infrastructure is operated and owned by the private sector, and those private sector companies make their own decisions regarding their investments in cybersecurity.
Companies from the private sector are encouraged to follow the Federal government’s lead and take ambitious measures to amplify and align cybersecurity investments with the goal of minimizing future incidents.
Executive Order Key Points:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector: The Executive Order assures that IT Service Providers can share certain information with the government and are required to share certain breach information. IT providers are commonly hesitant, or even unable, to share information about a compromise, and sometimes this can be due to lawful obligations; in other cases, providers may simply be indecisive to share information about their own security breaches. Removing contractual barriers and requiring that they share any breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments and improve the cybersecurity of the Nation.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government: The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture and authorizes the deployment of multifactor authentication and encryption within a limited time period. Security models that are outdated and data that is not encrypted have led to compromises of systems in the public and private sectors. The Federal government ought to lead the way and increase the adoption of security best practices, including the use of a zero-trust security model, accelerating movement to secure cloud services, and consistently expanding foundational security tools like encryption and multifactor authentication.
Improve Software Supply Chain Security: The Executive Order will improve the software security by establishing guideline security standards for the development of software sold to the government; including the requirement of developers to maintain greater visibility into their software and making sure that the data is publicly available. It establishes a concurrent public-private process to develop new and innovative approaches to secure software improvements and applies the power of Federal procurement to incentivize the market. Lastly, it creates a pilot program to create an “energy star” type of label so the government — and the public— can easily determine whether the software was developed securely. A long-standing problem is that too much of the software, including critical parts, is sent with significant vulnerabilities that adversaries exploit. This is a well-known and long-standing problem, and finding a solution has been delayed for too long.
Establish a Cybersecurity Safety Review Board: The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by the government and private sector leads, that may gather following a significant cyber incident to analyze what happened and make objective recommendations to improve cybersecurity. More often than not, most organizations repeat the mistakes of the past and do not learn any lesson from significant cyber incidents. When something goes wrong, it’s the Administration and private sector’s job to ask the hard questions and make the necessary improvements.
Create a Standard Playbook for Responding to Cyber Incidents: The Executive Order creates a standardized playbook and a set of definitions for cyber incident response to be used by federal departments and agencies. Organizations can’t wait to be compromised to figure out how to respond to a cyberattack. Recent incidents have shown that within the government, the capability level of response plans vary extensively. This playbook will ensure that all Federal agencies meet a certain level and are prepared to respond uniformly to identify and mitigate the threat. The playbook will also equip the private sector with a template for its response.
Improve Detection of Cybersecurity Incidents on Federal Government Networks: The Executive Order improves the ability to detect malicious cyber activity on the federal networks by implementing a government-wide endpoint detection, response system, and improved information sharing in the Federal government. Inconsistent and slow distribution of foundational cybersecurity tools and practices leaves the organization exposed to its adversaries. The Federal government should be the lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) distribution coupled with robust intra-governmental information sharing are fundamental.
Improve Investigative and Remediation Capabilities: The Executive Order creates requirements of cybersecurity events for federal departments and agencies. Poor logging handicaps an organization’s ability to detect intrusions, mitigate those in progress, and determine the expansion of an incident after the fact. Consistent and robust logging practices will solve much of this problem.