Biden’s Executive Order to improve the nation’s cybersecurity is a good first step, but it is unlikely to materially change the defensive posture of the nation
In response to recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline ransomware attack, President Biden on May 12, 2021 signed an Executive Order (EO) to improve the nation’s cybersecurity and protect federal government networks. For close observers, this seems to be like Groundhog Day, as past incoming administrations have issued similar executive orders to address insufficient cybersecurity defenses that leave public and private sector entities vulnerable to attacks. The National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) Program are good examples of past attempts to strengthen the federal government’s security posture and improve cyber resilience. The big question is whether the proposed actions in this new EO are attainable.
For months, news headlines have been dominated by a series of cyber-attacks that highlighted how vulnerable enterprises and government agencies are to nation-sponsored threat actors and cybercriminals. Once these attacks started impacting our economic security by leading to gas shortages and nation-wide price increases, the Biden administration reacted swiftly, acknowledging that the federal government must improve its efforts to identify, deter, protect against, and respond to cyber-attacks and threat actors.
In this context, the EO highlights numerous areas of weakness in the nation’s cybersecurity defense strategy and proposes many commendable practices to mitigate them, such as:
• Remove Barriers to Threat Information Sharing Between the Government and the Private Sector: To enable more effective defenses of federal agencies and improve the nation’s resilience, IT service providers will be required to share certain data breach information that could impact government networks.
• Modernize and Implement Stronger Cybersecurity Standards in the Federal Government: To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the federal government must take decisive steps to modernize its approach to cybersecurity, including accelerating movement to secure cloud services, establishing a Zero Trust architecture, and deploying foundational security tools such as multi-factor authentication and data encryption.
• Improve Software Supply Chain Security: Besides establishing baseline security standards for the development of software sold to the federal government, the EO calls for the creation of a pilot program to create an “energy star” type of certification so the government – and the public at large – can quickly determine whether software was developed securely.
• Establish a Cybersecurity Safety Review Board: To analyze what happened in a cyber-attack and derive concrete recommendations for improving cybersecurity, the EO calls for the creation of a Cybersecurity Safety Review Board, which is co-chaired by government and private sector leads. This board is modeled after the National Transportation Safety Board, which is used to investigate airplane crashes and other incidents.
• Create a Standard Playbook for Responding to Cyber Incidents: To assure preparedness in taking uniform steps to identify and mitigate cyber threats, the EO calls for the creation of a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. The playbook will also provide the private sector with a template for its response efforts.
• Improve Detection of Cybersecurity Incidents on Federal Networks: Acknowledging the slow and inconsistent deployment of foundational cybersecurity tools and practices across government agencies, the EO calls for the deployment of a centralized endpoint detection and response initiative, active cyber-hunting, containment and remediation, as well as incident response.
• Improve Investigative and Remediation Capabilities: The EO creates cybersecurity event log requirements for federal departments and agencies.
Where the Rubber Meets the Road
As with prior Executive Orders and cybersecurity frameworks, it is important to note that none of the standards and requirements outlined are applicable to commercial entities – instead, they’re focused solely on strengthening the federal government system. However, much of our nation’s critical infrastructure is owned and operated by the private sector, and those organizations make their own decisions regarding cybersecurity investments.
Another reason why some experts are skeptical about the success of President Biden’s EO, is that the bureaucratic environment within federal agencies often leads to inertia when it comes to applying cybersecurity best practices in their day-to-day operations. Exposure to cyber risks is just one of many challenges that federal agencies must deal with. Lack of funding, and to a greater extent lack of cyber talent is contributing to slow adoption rates. Furthermore, many agencies are struggling to determine what security framework or best practices would offer the highest return on investment, as they’re simply overwhelmed when it comes to the regulations and programs they must comply with.
Best Advice: Think Like a Hacker
Implementing an effective security strategy requires an understanding of hackers’ tactics, techniques, and procedures – often called TTPs. Thinking like a cyber-attacker allows security practitioners to focus on implementing security controls with the greatest rate of return for preventing breaches. In this context, it is encouraging that President Biden’s EO calls out three often exploited threat vectors that government agencies need to address if they want to effectively defend against today’s threats:
• Compromised Identities: Government agencies should focus on hardening access controls by verifying who is requesting access, the context of the request, and the risk associated with the asset. The “never trust, always verify, enforce least privilege” model, or Zero Trust, provides the greatest security return on investment regardless of the industry.
• Endpoint Security: Endpoints serve as the main points of access to an enterprise network and can be exploited by malicious actors. In fact, a recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months. Thus, it is vital to maintain granular visibility and control over these access points to establish cyber resilience.
• Software Resilience: The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. In turn, there is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.
Overall, this EO is a good first step but it is likely not going to materially change the defensive posture of the nation. If America’s national security interests are to truly be protected, government agencies and enterprises need to model their defense strategies by thinking like a hacker and tackling the TTPs that are commonly used in today’s attacks.