On May 12, 2021, President Joseph Biden issued an Executive Order on Improving the Nation’s Cybersecurity. Recognizing the fact that “the United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten...the American people’s security and privacy”, President Biden has taken a bold (and much needed) step forward to protect the critical software used in the public sector by establishing new standards for greater transparency, encouraging modernization of our nation’s security architectures and ensuring better coordination and communication across agencies to effectively combat threats.
While this executive order was originally inspired by the SolarWinds breach discovered in 2020, the announcement couldn’t be more timely, when we consider the recent news about the Colonial Pipeline ransomware attack. These attacks on business-critical applications and mission-critical systems are increasing, so it’s very encouraging that President Biden is making such a landmark effort to put the weight of the Federal Government behind deterring future cyberattacks.
This executive order is broad in scope and aggressive in timing, but I wanted to highlight four interesting takeaways from the order:
1. Breaking Down Barriers to Threat Information Sharing Is Critical
Public and private entities are connected in more ways than ever before. Our core systems, like financial systems or supply chain management software, are connecting to cloud applications in ways that accelerate business but also, unfortunately, can leave organizations vulnerable to attacks. In the event of an attack, time is of the essence to mitigate any damage. This order recognizes that there are occasional barriers or hesitation to freely sharing information with each other, and it directs that the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements are amended to enable easier information sharing.
2. Security Capabilities Need to Modernize and Catch Up with Our Continuing Digital Transformation
We all know that cloud applications deliver enormous benefits to organizations and enable massive efficiencies at scale for businesses globally. The challenge is that many security models have not kept up with our evolving digital transformation, leaving blind spots. Our now-interconnected business-critical applications - both on-premise and in the cloud - are highly vulnerable to attack from an increasing number of vectors across that extended enterprise. The executive order accelerates the push to better secure cloud services (i.e., SaaS, PaaS, IaaS) and lays out an ambitious mandate to advance toward Zero Trust Architecture. This inextricably ties cloud migration to a healthier zero trust approach.
3. More Transparency in and Rigorous Scrutiny of the Software Supply Chain Is Required
Think back to the SolarWinds incident. A routine software update turned into a not-so-routine breach. President Biden has the software supply chain clearly in his sights with a number of provisions designed to prevent code tampering in business- and mission-critical software as well as enforce better security hygiene with both public developers and private vendors. The order calls on the National Institute of Standards and Technology (NIST) to solicit input across the public sector, private sector and academia. The goal is to develop new standards and criteria to evaluate and rate both the security of software and the involved software components used during the software development process.
4. We Need a Standard Fed Playbook for Incidents and Broader Oversight
The executive order calls for the creation of a standard framework for vulnerability and incident response within 120 days of the date of the order to ensure better coordination across agencies for a more effective response to threats. It also requires the creation of a Cybersecurity Safety Review Board that can “review and assess, with respect to significant cyber incidents...affecting [Federal Civilian Executive Branch] FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.” This is an exciting step, as the board is analogous to the National Transportation Safety Board which steps in and asks the hard questions after crashes and other incidents. Finally, the order calls for building enhanced capabilities in the Federal Government to improve the detection, investigation, and remediation of cybersecurity vulnerabilities and incidents.
A Bold Step Forward...But There’s More Work to Be Done
For those of us who have been in the cybersecurity trenches for a long time, this executive order is ambitious, very welcome, and arguably, overdue. With the Federal Government establishing these higher standards, expect not just an improvement in the security posture of the public sector but also subsequent improvements in how security vendors and CISOs at private enterprises conduct business and secure their business-critical applications both on-premise and in the cloud.
It’s key to note that this executive order recognizes the important partnership between the public and private sectors. No one—not even the Federal Government—can do this alone. A shared responsibility model for cybersecurity with established standards and information sharing between the public and private sectors is critical to the well-being of our nation and our society.
At Onapsis, our mission remains the same as it has since our founding more than a decade ago. We protect the business and mission-critical software applications that keep the Fortune 500 and public sector entities running. Our researchers and experts put in incredible effort to understand and uncover zero days used by threat actors to exploit business-critical applications, and we strive to responsibly collaborate as partners with other software vendors and clients to help mitigate the risk more broadly. We equip our clients with impactful threat intelligence to help them understand their vulnerabilities and better monitor and respond to threats; provide visibility as they transition to a modern cloud architecture; aid them in compliance to standards, such as those that are (or will be) established by NIST; and strengthen their DevSecOps to proactively secure the software development lifecycle.
Ultimately, this executive order is a great first step in tightening up security controls for the 21st century; increasing information sharing and collaboration between the public and private sectors; and preparing our nation to mitigate risk and reduce the magnitude of future incidents affecting our critical systems. Onapsis looks forward to sharing our research and expertise to help inform the new standards that will better protect these mission-critical applications that power our interconnected global economy.