On Wednesday May 12, the Biden administration took a critical step towards addressing security issues that have come to light after several recent, high profile cyberattacks.
The extensive Executive Order (EO) described the government's plan to increase cybersecurity protection across the public and private sectors as well as secure the nation's digital infrastructure against the type of attack that recently shut down the Colonial Pipeline, a critical source of fuel for the entire East Coast.
The 30-page Executive Order on Improving the Nation’s Cybersecurity covers a plethora of cybersecurity issues. It describes how government agencies should evaluate the software they buy. It mandates that executive branch agencies deploy multifactor authentication, endpoint detection and response, and encryption. And it calls for these agencies to adopt "Zero Trust" architectures and more secure cloud services.
Let’s take a look at three of the key areas in the Order:
Prioritize Zero Trust
The EO mandates that executive branch federal agencies create "Zero Trust" environments. The administration says this is key to ensuring security when implementing cloud computing environments and services and modernizing the IT infrastructure of the federal government.
The document notes that within 60 days, the agencies must update plans to prioritize the adoption and use of cloud technology as well as develop a plan to implement zero trust architecture.
Adopting a Zero Trust mindset is not only a critical element of a robust cybersecurity posture, but also a popular one. This is primarily because it doesn’t innately trust any user or application until verified by multi-factor authentication (MFA) and also doesn’t require much CapEx to get off the ground.
Zero Trust compliance ultimately rests on two main pillars: Strong identity and access management, and a mature data identification and classification framework.
That means that to implement a true Zero Trust framework, organizations need to know everything about their sensitive data (including personally identifiable information, payment card information, intellectual property, and other sensitive data types): When it is created and by whom, where it is stored, and how and with whom it can be shared.
Related reading: Why Zero Trust is So Hot Right Now - And How Data Classification Make it Happen
Address Supply Chain Risks
The EO notes that the commercial software used by federal agencies often lacks adequate controls to prevent attackers from gaining access and states the federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
Within 30 days of the order's signing, the secretary of the Department of Commerce - acting through the director of the National Institute of Standards and Technology (NIST) - must solicit input from federal agencies, the private sector and academia. The government will then use this information to develop guidelines and criteria to evaluate software security and the best practices software developers must use.
From recent events we know that no organization is immune to the risk of supply chain cyberattacks and data breaches, and those with especially large and complex supplier ecosystems are even more vulnerable. This has been exacerbated in recent months due to the pandemic and the expanded attack surface as a result of a more widely dispersed workforce.
The main challenge here is that smaller organizations have neither the resources in personnel nor the capital to protect themselves and therefore the other organizations in the chain.
Creation of a Cybersecurity Review Board
The EO calls for establishing a "Cyber Incident Review Board" modelled on the National Transportation Safety Board.
The positive is that the board’s membership shall include Federal officials and representatives from private sector entities. Therefore, in theory, this board should encapsulate the best of the public and private sectors, be unafraid to ask the ‘tough questions’ following a significant cyber incident and make concrete recommendations for improving cybersecurity.
The challenge, however, is that the board will have to walk a fine line of complying with the Federal Advisory Committee Act, which forces boards like this to be "objective and accessible to the public," while also keeping the information it collects safe.
Minimizing and Preventing Cyberattacks
The goal of the EO is to modernize the government's IT infrastructure while creating a set of standards to help minimize the damage caused by cyberattacks. With aggressive timelines in tow and a clear directive to securely move to the cloud, this EO is arguably the most important step the President could have implemented.
The three areas that we have highlighted in the EO all require organizations to take a more robust approach to data security. This is where Fortra data security platform can help, as our suite of products is designed to bring an organization’s data security policy into this modern hybrid reality with multiple ways of working with a highly distributed workforce. We have data security solutions that help ensure intellectual property and sensitive data is kept safe and secure. Our products run right across the various data protection requirements from classifying data inside the organization at the outset, through to detecting and preventing leaks of sensitive information outside the organization.
As cyberthreats around the world continue to increase I am sure we will see more legislation and orders, like the EO, coming to the fore, therefore, demonstrating that you have a solid data security foundation in place and that you have layered security to help mitigate risk is going to be paramount.