President Joe Biden signed a cybersecurity executive order on May 12 to help strengthen the federal government’s cyber defenses and increase cooperation between the public and private sectors. The Executive Order on Improving the Nation’s Cybersecurity, which has been in the works for months, comes on the heels of a spate of high-profile cyberattacks in the last few months, including the ransomware attack on the Colonial Pipeline, the supply chain attack on SolarWinds and attacks that targeted Microsoft Exchange vulnerabilities.
“Recent cybersecurity incidents … are a sobering reminder that U.S. public- and private-sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” read a White House fact sheet on the executive order. “These incidents share commonalities, including insufficient cybersecurity defenses that leave public- and private-sector entities more vulnerable to incidents.”
The executive order is an important step forward in creating a national standard for cybersecurity practice. Overall, it aims to remove barriers to threat information sharing between the government and private sector, modernize and implement stronger cybersecurity standards within the federal government, improve software supply chain security, establish a cybersecurity safety review board, create a standard playbook for responding to cyber incidents, improve detection of cybersecurity incidents on federal government networks, and improve investigative and remediation capabilities.
“As last week’s ransomware attack against the Colonial Pipeline and recent intrusions impacting federal agencies demonstrate, our nation faces constant cyber threats from nation-states and criminal groups alike,” said Cybersecurity and Infrastructure Security Agency (CISA) acting director Brandon Wales in a statement. “This executive order will bolster our efforts to secure the federal government’s networks, including by enabling greater visibility into cybersecurity threats, advancing incident response capabilities, and driving improvements in security practices for key information technology used by federal agencies. And because the federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments.”
The goal of the cybersecurity executive order is not just to boost the government’s cyber defenses, as the majority of attacks are not on government entities. The hope is this greater investment in federal cybersecurity will trickle down to the private sector, as well. But even the White House fact sheet admits creating a universally accepted standard for cybersecurity is no easy task.
“The Colonial Pipeline incident is a reminder that federal action alone is not enough,” it said. “Much of our domestic critical infrastructure is owned and operated by the private sector, and those private-sector companies make their own determination regarding cybersecurity investments. We encourage private-sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
If the last few months of cyberattacks have shown anything, it’s that private industry needs to get involved in the fight against malicious cyber actors. Companies must invest in cybersecurity, and the executive order could help in that regard. Where the money will come from is an open question. Sam May, certified information systems security professional (CISSP) and senior compliance advisor with cybersecurity firm Steel Root, said there are steps the government can take to help encourage investment in cybersecurity.
“If the Biden administration is serious about DIB (defense industrial base) cybersecurity, they will work to have legislation introduced that allows capital investments into cybersecurity to be fully tax-deductible,” May said. “Then they will work across the aisle to ensure that it becomes profitable for firms to invest in cybersecurity.”
Private companies will also need professionals to properly guide them in the implementation of cybersecurity measures. May suggested the federal government create a task force to inspect DIB members for cyber compliance, especially in the case of smaller firms that may not have mature cybersecurity practice.
“Then, and here’s the important part, close the gaps for them,” May said. “Kind of like the whole, ‘If you don’t have a lawyer, one will be provided to you,’ evolution. If you don’t have a cyber person, one will be provided to you. The federal government can pay for the cyber firms that do exist to take on mini- and micro-DIB members to get them compliant.”
The cybersecurity executive order instructs the federal government to adopt as widely as possible two principles that could have a positive impact: Multifactor authentication (MFA) and zero-trust architecture.
Multifactor authentication safeguards important data by requiring both something you know (e.g., a password) and something you have (e.g., a cellphone) before access is granted. Zero-trust architecture is a newer concept based on the belief that all users, whether inside or outside an organization’s network, must be authenticated and verified before gaining access to data. It essentially treats all users as potential threats.
According to Ryan Heidorn, co-founder and managing partner of Steel Root, this mention of zero-trust architectures is one of the most important aspects of the executive order, but it does present some complications.
“The emphasis in the executive order on zero trust can’t be understated,” Heidorn said in an email. “The writing is on the wall (and now in an EO): The federal government is making a rapid push to develop zero-trust strategies, task forces, etc. But there’s a potential conflict in that federal frameworks (Risk Management Framework, Cybersecurity Maturity Model Certification) were developed around a different set of principles.”
Though this executive order is a good start and an indication of how seriously the Biden administration takes cybersecurity, there is no simple solution to securing national cyber defenses. May said he would like to see explicit requirements placed on the federal government to take concrete actions to improve information security in measurable ways.
“This EO is a laundry list of requirements for departments to make studies of themselves in order to find ways to do what they already are required to do,” May said. “I want to see an administration that has the sophistication to explicitly direct the federal government to take measurable actions to secure the infrastructure, and I want to see agencies who do not meet those explicit requirements held publicly accountable to the taxpayers. Next, provide capital incentives and human resources to DIB firms who need to improve their cybersecurity.”
Another potential issue is while executive orders do have the power of law behind them, the U.S. Constitution grants the power of the purse to Congress. The cybersecurity executive order sets out a strong roadmap, but it’s obviously more impactful if Congress puts funding behind the efforts.
“[The executive order] allows the affected departments to ensure any new programs that may be created by the EO make it to the House and Senate for their respective budgets,” May said. “A federal department that is merely asking for money to create (or expand) a program may or may not get funded, but when that departments has been ordered to do so by the executive branch, the likelihood of the project getting funded goes up.”
While some elected officials and industry leaders have hailed the cybersecurity executive order as a positive development, most note it is only the first step in a long and complicated process required to safeguard the national infrastructure.
“This executive order is a good first step, but executive orders can only go so far,” said Sen. Mark Warner, D-Va., chairman of the U.S. Senate Intelligence Committee, in a statement. “Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.”