Executive Order on Cybersecurity – Nathan’s Review

By issuing a sweeping cybersecurity executive order on Wednesday, the Biden administration is attempting to take a critical step to address security issues that have come to light after recent cyber attacks.

The 30-page Executive Order on Improving the Nation’s Cybersecurity covers a host of cybersecurity issues. It describes how government agencies should evaluate the software they buy. It mandates that executive branch agencies deploy multi factor authentication, endpoint detection and response, and encryption. And it calls for these agencies to adopt “zero trust” architectures and more secure cloud services.

The goal, according to a senior administration official, is to modernize the government’s IT infrastructure while creating a set of standards to help minimize the damage caused by cyberattacks, such as those that recently affected Colonial Pipeline Co., SolarWinds and its customers, and certain users of Microsoft Exchange.

“For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort and money,” the senior administration official, who spoke on the condition of anonymity, told reporters. “And instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let ‘waiting for the next incident to happen’ be the status quo under which we operate.”

“The order brings multiple levers of federal government authority to bear, including the most comprehensive proposed use of procurement power ever,” says Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security.

Here are a few key takeaways from Biden’s executive order:

Zero Trust’ Is a Priority

• The executive order mandates that executive branch federal agencies create “zero trust” environments. The administration says this is key to ensuring security when implementing cloud computing environments and services and modernizing the IT infrastructure of the federal government.
• The document notes that within 60 days, the agencies must update plans to prioritize the adoption and use of cloud technology as well as develop a plan to implement zero trust architecture.
• “What this does is incentivize federal agencies to adopt zero trust within their own on-premises technologies. It also creates a zero trust mindset in how they can approach their on-premises technologies and when they move to the cloud … and the incentives are clearly very important. That’s going to be a challenge for everybody because the first thing they need to do is determine what you need to protect – and that takes longer than 60 days.”
  

Supply Chain Risks Must Be Addressed

The order describes three key provisions:

The executive order also lays out extensive new guidelines for how federal agencies must evaluate software needed for their IT infrastructures – a clear nod to addressing supply chain issues, which were highlighted in the SolarWinds attack in which attackers used a Trojanized software update.

• Agencies must implement baseline security standards for software, including requiring developers to maintain greater visibility into their applications and make security data available.
• Agencies must develop new requirements for making sure vendors address security as software is developed. The federal government will use its purchasing power to incentivize companies to follow these requirements.
• The government will create a pilot program for an “energy star” type of label signifying whether software follows the new security guidelines.
  • The senior administration official noted that Singapore created a similar rating system for the security of IoT devices. “The executive order directs the National Institute of Standards and Technology to develop a similar program and to work with the private sector and other agencies to find ways to encourage manufacturers to participate,” the official said.
  • Commenting on the supply chain measures, Reitinger says: “I’d like to see incentives or requirements to take the measures developed under this section for the government and make them available as a package to the private sector, and be implemented in cybersecurity regulations already imposed by the government.”
    

Cybersecurity Safety Review Board Will Be Created

• The executive order calls for establishing a “Cyber Incident Review Board” modeled on the National Transportation Safety Board. The new body will investigate cybersecurity incidents and make recommendations for improving security.
• The secretary of the Department of Homeland Security, along with the attorney general, will establish the board, which will include members from the departments of Defense and Justice, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI as well as representatives from private industry

Barriers to Sharing Threat Intelligence Must Be Removed

• The Biden order also calls for removing some of the contractual barriers that hamper the sharing of threat intelligence between government agencies, such as the FBI and CISA, and companies, such as those that provide cloud services.
• “Removing these contractual barriers and increasing the sharing of information about such threats, incidents and risks are necessary steps to accelerating incident deterrence, prevention and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed and maintained by or for the federal government,” according to the order.
• But the order doesn’t do enough to ensure that when data is shared, it’s acted upon, says Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI’s New York office.

Supply chain risk has been front and center with SolarWinds and others. The issue is that smaller vendors in the supply chain don’t have the human or capital resources to properly protect themselves, and by nature of the chain, all the rest of us.