On the heels of major cybersecurity intrusions like SolarWinds and Colonial Pipeline, President Biden signed an Executive Order on May 12th to modernize cybersecurity in the federal government and protect federal government networks. Briefly, focuses on several main areas:
1. Allow better threat information sharing between government and the private sector. The Executive Order ensures that IT Service Providers can share information with the government and requires them to share certain breach information.
2. Modernize and implement stronger cybersecurity standards in the federal government by moving to more secure cloud services and a zero-trust architecture and mandates deployment of multifactor authentication and encryption.
3. Improve software supply chain security by establishing baseline security standards for development of software (secure by design) sold to the government, including requiring developers to maintain greater visibility into their software and making security data available to the public.
4. Establish a cybersecurity safety review board modeled after the National Transportation Safety Board (NTSB). The Board, to be co-chaired by government and private sector leads, will convene after a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
5. Create a standard “playbook” for responding to cyber incidents for cyber incident response by federal departments and agencies. The playbook ensures Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate security threats.
6. Improve detection of cybersecurity incidents on Federal government networks by improving the ability to detect malicious cyber activity through endpoint detection and response systems and improved information sharing within the Federal government.
7. Improving investigative and remediation capabilities by introducing event log requirements for federal departments and agencies.
This Executive Order, along with the IoT Security law signed into law by President Trump in December are the initial steps taken to modernize national cyber defenses. The Colonial Pipeline incident, however, is a reminder that federal action addresses only a portion of critical systems. A substantial portion of critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments.
The Executive Order does not directly touch the private sector, but major transformative efforts like this leads to change well beyond government for security vendors and enterprise organizations. The US federal government’s procurement processes are unique and at times very rigid. The rigid nature of that procurement process also provides a baseline that other private enterprise organizations may use to help codify and standardize cybersecurity requirements. In other words, if companies want to do business with the Federal government, they need to comply; if businesses are going to spend money to comply, the cybersecurity Executive Order may provide a framework for private industry as well.
Device Authority has been hitting the drum of Zero Trust and Security by Design since our inception. Here is the bottom line that we (and our customers) know: Zero Trust works. Now, the United States federal government has validated, confirmed, and required Zero Trust. We are not gloating, because the work continues. For the US government and its suppliers, this executive order represents substantial and massive change because non-governmental and private organizations should expect to feel repercussions of this Executive Order as well.
Back in October 2016 we experienced the Mirai botnet malware, which leveraged the use of weak credentials, particularly passwords – usually guessing the default passwords which manufacturer’s ship devices with. The solution? Easy, just update your password!
