On May 12th, the President of the USA, Joe Biden, signed an Executive Order (EO) that would bolster the cyber defences of the USA. The EO is intended to protect against “increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
An EO is a written, signed, and published directive from the President that manages operations of the federal government, and although some EO’s require legislative approval, they effectively become law. It comes on the back of several high profile incidents involving Microsoft (Exchange), SolarWinds and the recent Colonial Pipeline incident. It is seen as a much-needed step to modernise and protect federal networks and improve information sharing between the private and US government.
The EO covers a range of topics, and not only are the UK Government considering something similar, but I believe these are key initiatives that we all should carefully consider and implement appropriately.
When implementing Information security in the private or public sector, I believe it’s essential to set out your policy. Almost straight out of the gate, the EO from President Biden states that Cybersecurity requires more than government action and calls for a more collaborative approach (from the Private sector) in helping to protect the US from malicious attacks. This call for collaboration is critical. It demonstrates that the US recognises the importance of the private sector and its ability to adapt to the continuously changing threat environment and ensure its products are built and operate securely.
It states that ‘Incremental improvements will not give [us] the security’ needed, which by inference means the White House recognises that change needs to happen and it needs to happen now. The Federal Government needs to lead by example if the Private sector is to take notice of these changes. I believe that the US Government should lead by example, but they must also be vocal about it if they want people to take notice and succeed in achieving their second objective.
Removing barriers to Sharing Threat Information
The Federal Government relies heavily on the private sector to support national infrastructure, but how much collaboration and information sharing takes place? How much trust is there when the contracts in place penalise or restrict the free flow of information related to risks, threats, vulnerabilities or incidents, or contracts aren’t clear about the need for such data collection, storage and sharing?
Modernising Federal Government Cybersecurity
It is easy to see why the status quo is an acceptable stance in a highly complex environment, but in the increasingly data-driven and dynamic environment we all live in, this can no longer be accepted. The EO calls for investment in cloud technology, zero-trust architecture, encryption and multi-factor authentication technologies. It states that the Federal Government must look at what the General Data Protection Regulation (GDPR) calls “State of the Art” technologies.
This focus on modernising the approach to Cybersecurity will be key to protecting the public and private sector and identifying and responding to threats and vulnerabilities. This is a focus all organisations should have; Not simply updating systems – but modernising the prevention and detection techniques and technologies we employ to increase our security.
Enhancing Software Supply Chain Security
As the saying goes; No man is an island. Just as the Federal Government bolsters its security, it needs to look closely at the security and integrity of “critical software” that it relies upon and performs functions critical to the government. Our reliance on third-party software should be a matter of continual scrutiny and assessment, as we place our trust in these organisations and their ability to support our business operations. This is why it is essential to carry out due diligence on companies you rely upon and ensure they carry appropriate certifications (such as ISO27001, PCI DSS or SOC).
Establishing a Cyber Safety Review Board
An incredibly important aspect of any security programme is leadership. In the EO, President Biden sets out the need to establish a Cyber Safety Review Board, reviewing and assessing cyber incidents, threat activity, vulnerabilities, mitigation activities, and agency responses.
All too often, we see organisations (public and private) trying to implement security programmes with no clear ownership or input from across the organisation. It is great to see that the EO outlines the need for federal officials and representatives from the private sector. When establishing our security programmes, we should also consider involving third parties who can understand both internal and external risks and issues we might face.
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.
The EO states that ‘The Federal Government shall employ all appropriate resources and authorities to maximise the early detection of cybersecurity vulnerabilities and incidents on its networks.’ This assessment of vulnerabilities begins with recognising that we are all potentially vulnerable. Therefore we must find these areas of weakness so that they can be effectively addressed. Deploying Endpoint Detection and Response (EDR) tools, such as those within the Tripwire Enterprise solution, or Managed Detection and Response (MDR) technologies and techniques must be considered when looking to improve our overall response to vulnerabilities and incidents. If we don’t have these tools or processes in place internally, we need to consider outsourcing and bringing in these skills.
Improving the Federal Government’s Investigative and Remediation Capabilities.
Networks and systems can tell us a lot about what is going on, if we care to look. But I’m often surprised at how little, organisations will monitor and review their log files for suspicious events or activity. But with the EO in place, President Biden is stating that it is a requirement that information from network and system logs on Federal Information Systems is collected and reviewed.
When implementing security programmes, we should be asking what network logging and monitoring tools are available to facilitate better investigations and remediations of breaches that may occur.
The EO from President Biden is a great step forward and is much needed, and although there is more that could be done, and there are things missing, it is a positive move. But from defining policy and securing a leadership framework to improving risk identification, modernising systems, and looking at the supply chain, these wouldn’t look out of place in an Information Security Management System. Meaning this Executive Order is a great step forward, and although it isn’t calling ‘last orders’ on security incidents, it is something we should raise a glass to.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.