President Biden served up an Executive Order, prompted by fallout from the SolarWinds attack, that has drawn praise for the administration’s obvious commitment to cybersecurity and a willingness to put the weight of the federal government’s purchasing power behind ambitious plans to bolster the nation’s security, but experts worry that the elements that make it a standout order will also trip up its rollout.
Calling the EO “laudable,” ImmuniWeb CEO and chief architect Ilia Kolochenko said it could be “arduous to implement” in the short timeframe established. Many federal government agencies and entities, he said, still can’t meet FISMA requirements, the 2014 set of standards enacted to bolster U.S. cyberresilience, and, on top of that, they’re dealing with the more recent Cybersecurity Maturity Model Certification (CMMC) requisite for doing business with the Defense Department.
That effort has the government “using its buying power to demand improved software security standards by the private sector,” explained Stephen Banda, senior manager, security solutions, Lookout, who also gave a thumbs-up to the initiative. “In nine months, the federal government will only buy from companies that have met these newly developed software security standards.”
The EO is so much more than just the long-anticipated reporting aspect, which requires software contractors to provide details of any breaches they’ve experienced to government agencies, and in a timely fashion. That is critical in and of itself. SolarWinds showed just how haphazard reporting can be if left up to the company that has been breached. It was FireEye, not SolarWinds, that first alerted the world that Russian actors had breached the government contractor by exploiting a vulnerability in its software that’s widely used within government agencies and private sector companies. But combined with other initiatives in the EO, the desired result, Banda said, is “to improve the security of software sold to the government, including by making developers share certain security data publicly.”
Sounil Yu, CISO at JupiterOne, hailed the requirement for a software bill of materials (SBOM) as being “as significant as when ingredient labels were added to food products that we buy.”
That information “can help users of information and communications technologies (ICT) know when a product is not behaving properly, and this is important if we want to apply the concept of zero-trust to our supply chains,” said Yu.
The SBOM could move organizations closer to the zero-trust model the EO is advocating. “The reason that we need things like SBOM is because we can’t trust our supply chain, and thus, we need more of it to be transparent. SBOM is one way to get that transparency and start moving towards a zero-trust approach for software supply chains,” said Yu, explaining that too much trust is currently placed in the supply chain. “Taking it further; having usage and contraindication information for vendor products then allow us to create guardrails that let us know when a vendor product is behaving in a way that it is not supposed to.”
Lauding the many efforts and thoughts in the EO for including “better coordination and communication between agencies and between government and the private sector,” YouAttest CEO Garret Grajek said the “welcomed improvement” of immediately sharing intelligence on attacks is much appreciated, “if the U.S. is going to get on top of Colonial Pipeline-type ransomware attacks and other major threats.”
The partnership between the federal and private sectors should maintain “the preservation of privacy” among its “chief pursuits,” said Tim Wade, technical director, CTO team, at Vectra, who gave the nod to Biden for choosing “promoting the threats to the privacy of the American people as a first-order concern central” to the EO.
Still, those sharing requirements combined with Biden’s proposed Cybersecurity Safety Review Board may try the long-established bounds of interagency collaboration, Kolochenko said.
The National Cybersecurity Safety Review Board will function much like the National Transportation Safety Board does for airlines and other areas of the transportation. It will help resolve a big issue in the U.S. – lack of centralized control of the internet. “Of course, in a free world and free internet, the U.S. government does not own or control the traffic that goes across as a nation, the way China does,” said Grajek. “To counter this lack of centralized control, communication sharing is paramount.”
How the requirements play out in real life will depend, in part, on the resources put behind them. “Hopefully, the upcoming regulations will be also underpinned by additional budget allocations and other resources required to build a resilient information security program at the federal level,” said Kolochenko.