Potential Impact of the “Executive Order on Improving the Nation’s Cybersecurity”
Posted by: Matt Keller
As a response to the recent spate of cyberattacks on the U.S., from SolarWinds and Microsoft Exchange attacks to the recent ransomware attack on the Colonial Pipeline, President Biden signed a cybersecurity executive order aimed to bolster the Federal government’s cybersecurity standards.
The EO on improving the nation’s cybersecurity is broad in terms of the order’s scope as well as the aggressive timelines laid out by the administration. This cybersecurity executive order is the most comprehensive change to a national strategy for cybersecurity, outlining an approach toward modernization. This cybersecurity executive order also shifts away from former guidance on cyber incidents (NIST 800-61 and CJCSM 6510) and looks to unify the executive branch on its reporting requirements as well as provide reporting-related guidance to the private sector.
Given the assumption that federal agencies can follow through with its full adoption, this executive order on cybersecurity should make a significant positive impact on the strength of US Cyber Defenses. The specificity of some of the controls and strategies that are noted should go a long way in terms of moving the country’s cyber defense posture from a primarily compliance-driven perspective to an actual risk-based perspective. This requires a huge shift for most government agencies, but provided that they follow through with the cybersecurity executive order, the Federal government should experience a significant increase in its security posture and resilience.
Where the Executive Order Could Have Its Biggest Impact
The cybersecurity executive order is very comprehensive and should drive movement in several significant areas of cybersecurity that have not previously been top of mind for Federal agencies.
- Operationalizing Cybersecurity. An executive order cybersecurity needs on a national level should prioritize the operationalization of cybersecurity. This EO is focusing on strong endpoint detection and response (EDR) capabilities, as well as coordination and automation with threat intelligence, incident response and threat hunting, defined logging and monitoring strategies, and vulnerability management is critical to operationalizing cybersecurity. Shifting from traditional antivirus to EDR puts tools in the hands of cyber operators to better identify threats, as opposed to waiting for a signature-based security tool to detect a cyber threat. Placing more focus on log retention to identify threats as opposed to an approach around how much log storage an agency can afford for a set amount of time will also have a significant positive impact.
- Shift from Compliance to Security. Historically, the government has primarily focused on preventative measures and compliance. This shift to more of an “assumed breach” mindset is critical in the maturity of an entity’s security posture, and should incorporate continuous threat hunting and monitoring of the environment to limit the impact of a successful compromise. It is inevitable that preventative measures will fail given the determination of our adversaries, but by continuously assuming they are compromised, entities will be able to eradicate threat actors from the environment quickly and prevent catastrophic impacts.
- A focus on supply chain and software security, based on the recent SolarWinds and Exchange breaches. The cybersecurity executive order attempts to establish an official AppSec program for each agency that examines external software and the structure for selecting vendors to support government networks. It also puts a focus on analyzing the threat to internally developed software, including the risk an application may bring to an agency as well as the inherited risk to applications.
- Securing the Cloud and the push to modernize government networks to adopt the security capabilities available in the cloud will have a profound effect. More specifically, the executive order on cybersecurity looks at SaaS, IaaS and PaaS vs. an organization’s and focuses on managing the software vs. the infrastructure to run software. It seems that the government is putting more emphasis on emerging vendors and technologies as a path for improved identification and response to emerging threats.
- Adopting a Zero Trust Architecture. This shift in mindset from compliance to security, along with a focus on a Zero Trust Architecture with a defined strategy, should have a major impact on the government’s cybersecurity posture. The goal is to extend cybersecurity beyond the traditional network boundary and to understand the increased risk due to COVID-19 and work-from-home environments. A Zero Trust Architecture will help organizations identify key assets and data within the network and protect this information beyond traditional cybersecurity methods
To accomplish all of these things, agencies must look at best-of-breed solutions that can be integrated to ensure the necessary visibility, situational awareness and automation of certain tasks to ensure accuracy and speed. With the tight timelines in the cybersecurity executive order for accomplishing all of these goals, agencies should look for partners who can help assess, plan and implement the right solutions to get the job done.
Areas Where the Cybersecurity Executive Order Can Be Improved
The executive order on improving the nation’s cybersecurity is a great start to making significant improvements in the nation’s overall cybersecurity posture. However, there are some areas for improvement:
- One potential area of improvement is the incident reporting requirements that are being mandated. Rapid incident reporting is important, but accurate incident reporting after understanding the full scope of an incident is even more critical. For many agencies and contractors who don’t have an incident response capability, or lack full visibility into the scope of an incident, this recent executive order on cybersecurity could result in a significant amount of false positives or incomplete information being reported just to meet the deadline.
- While there is a lot in this cybersecurity executive order, certain items like Red Team assessments and creating a formal Cyber Hunt team (Blue Team) are not specifically called out. While hunting activities are discussed, there is not much direction here.
- It’s unclear how active a role the government will take in identifying the risk to an agency based on actual vulnerabilities and threats. While the cybersecurity executive order focuses on the importance of verifying applications and maintaining security within an application, there isn’t as much focus on testing security controls and implementation of security devices.
- Having an aggressive deadline is good in that the proverbial ‘can’ cannot be kicked down the block any longer. However, the initiatives that agencies must undertake to meet the goals of this executive order will take time to effectively plan and implement. Getting it right is more important than doing something fast. Getting it right and moving quickly most likely will require help from experienced consultants who can look at the big picture and have the hands-on experience to implement the right solutions.
- Another area of improvement to consider is that funding is not addressed in this cybersecurity executive order. Many agencies require more funding for cybersecurity initiatives than what has been allocated, and this order will require more resources dedicated to meeting these objectives.
The Potential Impact of Biden’s Cybersecurity Executive Order on the Private Sector
For many years, the cybersecurity teams within private sector companies have been tucked away within the IT organization, and not seen as a true business stakeholder with clear accountability and visibility at the Board of Directors level. While many of the highly regulated industries have started to shift this behavior, cybersecurity is still often seen as an expense line item and not a business enabler.
The continuous onslaught of headline news is starting to shift this mindset and organizations of any size or industry are starting to see that cybersecurity is a critical component of any organization. In addition to the President making this a top-level priority of his administration, it’s clear that with high-stakes supply chain attacks having potentially massive impacts on the nation, the public and private sectors must further align by sharing threat intelligence, integrating solutions and implementing agreed upon best practices. Additionally, it looks like the government is looking to evolve the Federal Acquisition Regulation (FAR) to align with this new approach to cybersecurity. The hope here is to improve time to market and more partnerships with the private sector to collectively engage in the cyber battle.
12 Months Later: Progress and Challenges to Improving the Nation’s Cybersecurity
Now that a year has passed since President Biden’s EO for improving the nation’s cybersecurity, it seems increasingly clear that the order is forcing Federal agencies to scrutinize their cybersecurity programs and focus more on compliance and operational security.
The EO hasn’t gone without its challenges; the EO on improving the nation’s cybersecurity has caused some agencies to struggle with understanding and implementing proper application security. A follow-on to President Biden’s cybersecurity executive order can nonetheless strengthen the nation’s ability to unify its focus on application security.
Final Thoughts
This executive order on cybersecurity moves the government from a checkbox compliance approach to a more operationalized approach to cybersecurity. Another interesting point to be taken from the EO is how the government is looking to migrate away from Civilian vs DOD as far as how incidents are handled, ultimately creating a universal “playbook” for reporting and processes. This is a key point to increasing the government’s overall effectiveness as one unit, instead of two separate and distinct areas of the executive branch.
Matt Keller
VP Federal Services,
GuidePoint Security
Matt Keller is responsible for providing world-class information security solutions to government customers across the globe. In addition, Mr. Keller also is responsible for architecting, designing, and engineering solutions to combat advanced cyber security threats to include networks, systems, and investigation challenges.
Prior to joining GuidePoint, Mr. Keller worked for a Government Systems Integrator where he led a team of security engineers to design and develop next-generation threat protection and defenses. Prior to that, Matt was a Principal Cyber Forensics Analyst for the Department of Defense, where he worked both Law Enforcement and Cyber Intrusion cases for the Department of Defense.
Matt has extensive experience in architecting and engineering government private cloud solutions and currently advises government customers on Attack Driven Defenses for network protection. He began his career in Information Technology and Security in 2006 and has a Master’s Degree in Information Security from Eastern Michigan University and multiple forensic certifications from both private and DoD institutions.