On Wednesday, May 12, President Joe Biden named cybersecurity a top national security issue and signed Executive Order 14028, Improving the Nation’s Cybersecurity. His signature dried in the midst of a high-profile cyberattack against the Colonial Pipeline, which captivated the nation. His order primarily focused on directing government agencies to implement cybersecurity protocols aimed at boosting their defenses against cyberattacks in collaboration with the private sector. Below are some key takeaways on improving US cybersecurity regulations from the 15-page executive order.
Removing Barriers for Information Sharing
Currently, government contracts and policies restrict the ability of agencies and contractors to share information on cyberattacks with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other intelligence agencies. Biden’s executive order removes these barriers, encouraging sharing of information on threats, incidents, and risks. It also establishes a framework to ensure effective information sharing among agencies.
Timely information sharing has been a game-changer in past cyberattacks, with information sharing and analysis centers (ISACs) being formed across a variety of different agencies. More broadly, when information is shared, breach victims and threat researchers are able to warn other organizations. For example, when FireEye notified the industry that it was impacted by the SolarWinds breach, the indicators shared enabled more widespread discovery. Since this was a supply chain attack, many organizations, including government organizations, were affected but may not have known they were victims if FireEye had not disclosed the information it did. Without this information sharing, the successful foreign campaign may still be operating.
Requirement To Adopt Cybersecurity Hygiene
Biden’s mandate for cybersecurity hygiene includes advancing toward zero trust architecture and speeding up the move to secure cloud services with the promise to invest in the resources needed to modernize. The executive order requires adoption of multifactor authentication (MFA), vulnerability management, and encryption incorporating standards from the National Institute of Standards and Technology (NIST). The executive order additionally calls for security log collection and deployment of endpoint detection and response (EDR) technology. Unfortunately, both of these technologies are notoriously difficult to manage, and the executive order makes no mention of how agencies will overcome this.
For organizations that do not have the resources to wrangle these technologies in-house, we recommend looking at a managed detection and response (MDR) solution. At Pondurance, our MDR provides proactive security services backed by authentic human detection. Technology is not enough to stop cyber threats. Human attackers must be confronted by human defenders. Learn more about MDR in our eBook: 5 Things to Consider When Choosing an MDR Provider.
Establishing a Cybersecurity Safety Review Board
The Department of Homeland Security in consultation with the attorney general will establish a Cybersecurity Safety Review Board modeled loosely on the National Transportation Safety Board that investigates airplane crashes and other transit failures. The board will review and assess significant cyber incidents, threats, vulnerabilities, mitigation activities, and agency responses. On the board, there will be members from the Department of Defense, the Department of Justice, CISA, the National Security Agency, the FBI, and members from the private sector.
Pilot Product Labeling Program
The executive order starts a pilot product labeling program to better educate the government and commercial businesses on their purchase decisions. This program will be similar to the Energy Star program that makes it easy for consumers to identify energy-efficient products. When government or commercial organizations are looking at a new software vendor or a new program to integrate into their systems, the goal is to make it easy to tell if that vendor has the appropriate security in place to defend against today’s cyberattacks.
A compelling concept, it will take significant public-private partnerships to define and manage such a labeling system. Historically, many breach victims passed a compliance audit shortly before they were breached, so the program will have to focus on a scoring system that more accurately correlates with the risk of a given product. Additionally, due to the dynamic nature of vulnerabilities and threats, it is a bit difficult to imagine a static labels system working.
This is just a sample of the contents in the executive order released on Wednesday. While the executive order is focused on a number of the right solutions, many of these ideas have been floated around for years. The success of the executive order will ultimately come down to the ability of agencies, government contractors, and suppliers to implement the mandated defensive measure. Unfortunately, nothing in the executive order discusses methods for filling the cybersecurity vacancies that plague industry and government agencies. In her recent testimony to Congress, Pondurance Board Chair Niloo Howe proposed a number of ideas including the concept of a civilian cyber reserve force to help fill the immense talent gap.
If your organization needs a cybersecurity review or needs to manage the risk posed by threats and vulnerabilities, reach out to us to discuss!