On May 12, 2021, President Biden issued an executive order on cybersecurity. This new order combines many trends we’re already seeing in the Fortune 500 and brings them into the public sector as well. President Trump issued similar executive orders including one in 2017, another in 2018, two in 2019 and three in 2020, but we will cover those at a different time. Here we want to address 3 questions: Why was this written, what is different with this executive order, and when do we look for the changes?
Why was this written?
This executive order can be seen in response to the Colonial Pipeline ransomware attack. Here we have a piece of critical infrastructure that had its operations suspended and delayed. The pipeline is now operational, but the effects of the interruptions can be felt from Texas to the entire eastern seaboard. Many drivers are panic buying gasoline anticipating a long shortage. This executive order can be seen as an attempt from the Biden administration to improve consumer confidence in the supply chain. President Biden made official statements directly related to this incident.
What’s different in this executive order?
The difference between this executive order and other recent cybersecurity statements issued by the president is the deadlines. There are 44 different tasks with a concrete deadline. A majority of these deadlines are short term (30-90 days) with a few longer term ones (180-360 days). Most of those deadlines are focused on implementing technical controls, or drafting standards to be used universally throughout the federal government.
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”Executive Order on Improving the Nation’s Cybersecurity (Section 1. Policy.)
The focus for this order is on hardening infrastructure and accelerating incident response. How can we improve investigation and remediation time for cybersecurity incidents now? This needs to happen ASAP regardless of whether they happen in the private sector, like the SolarWinds supply-chain attack, or the public sector. Both are valid targets of nation state adversaries, so effective collaboration must be part of the solution.
“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”Executive Order on Improving the Nation’s Cybersecurity (Section 1. Policy)
President Biden, through this order, wants to set the tone and change the security culture within the federal government. I see this as a win for everyone. The lexicon of information security comes from the intelligence community and the federal government. If actionable standards come out of these directives companies will take notice and work on adopting them.
The rest of this executive order is split out in 10 sections. Section 2 is on removing barriers to sharing threat information. Section 3 focuses on modernizing the security controls within the federal government. Section 4 is about improving the software supply chain. Sections 5-6 establish a cybersecurity review board and address the need for a universal standard playbook for responding to cybersecurity incidents. Sections 7-8 focus on speeding up detection, investigation and remediation of incidents within Federal Government networks. Sections 9-11 focus on definitions and provisions within this order and specific policies focused on National Security Systems. You can find the official White House statement and fact-sheet on the whitehouse.gov website.
What to look for next?
This order has really two timelines. The first is the short term, immediate goals with longer term goals aimed at a new strategic vision. These are some highlights that jumped out immediately. This is by no means exhaustive.
Short term (30-90 days)
- NIST has been directed to publish new standards focused specifically on Software Supply Chain security (Section 4b). This will include:
- Input from the Federal Government, private sector, academia… for new new standards, tools, and best practices for complying with the standards, procedures (30 days)
- A Formal definition of “critical software” (45 days)
- NIST is also to make plans for implementing a Zero Trust Architecture (60 days)
- Secretary of Homeland Security will provide Office of Management and Budget [OMB] recommendations for improving logging (14 days)
- Homeland Security will review current agency-specific policies and regulations and standardize them across the Federal Government (60 days)
- Have Homeland Security and OMB ensure that [cloud] service providers share and have access to data with agencies, Cybersecurity and Infrastructure Security Agency [CISA] and the FBI as necessary to respond to cyber threats, incidents and risks. (120 days)
- CISA is creating a standard playbook for responding to Cybersecurity incidents (120 days)
- Multi-factor authentication, encryption at rest, and in transit needs be adopted for all Federal Civilian Executive Branch Agencies [FCEB Agencies] or a written rationale as to why it couldn’t be done (180 days)
- NIST is to
- Publish preliminary guidelines for enhancing the software supply chain (180 days)
- Identify IoT cybersecurity criteria for a consumer labeling program (270 days)
- Publish additional software supply chain guidelines and establish a process for periodic review for updating the software supply chain guidelines (360 days)
The only people I would see immediately affected by this order are organizations with current and new contracts with federal agencies. As a security practitioner, I would keep my eyes out for statements from NIST, OMB, CISA on what these standards would look like. Perhaps these new developments would become as ubiquitous as the CIS 20 framework or NIST 800-53. I’d also look out for specifications on implementation of the security controls. As a citizen, I’d also pay attention to additional comments from the whitehouse as well as any new proposed legislation by Congress.
In our experience, a fundamental transformation of security culture does not take place overnight, but a recent security breach is a powerful catalyst for change. It is the best time for executives to lead their organizations into a better security posture. Whether these controls will stick and immediate progress will be made, only time will tell. After all, It’s not what you preach, it’s what you tolerate.
The executive order does generate a number of other questions. What does information sharing between cloud providers and the federal government going to look like in practice? What are the repercussions for agencies that don’t adopt the new standards within the deadlines? We tackle these questions and more in our Professionally Evil Lunch and Learn. Here we do a deep dive into current events in cybersecurity, like this new executive order. You can join in on the conversation in our public slack channel. We go live on Friday May 28th 1pm EDT.