How Biden’s EO Impacts Cybersecurity Players
On May 12, the Biden Administration released an executive order aimed at government agencies, vendors and developers, who all will have to design their products with a greater focus on security.
The EO on “Improving the Nation’s Cybersecurity” comes in the wake of several high-profile security breaches, most recently the ransomware attack on Colonial Pipeline, and bets big on zero-trust for the future of the country’s cybersecurity efforts.
The EO recognizes that Federal contracts for IT and OT products and services need to be updated and gives OMB 60 days to review the Federal Acquisition Regulation (FAR) and identify language that needs to be updated to require contractors to report cybersecurity incident data to the Cybersecurity and Infrastructure Security Agency (CISA).
Included in the EO are some concrete best practices that could become commonplace standards, including auditing trust relationships, use of multi-factor authentication, encrypting data and maintaining up-to-date software.
“With recent high profile, disruptive cyberattacks such as the Colonial Pipeline, the EO would set the bar for protecting not only government agencies but for critical infrastructure as well,” said Timur Kovalev, chief technology officer at Untangle. “It’s important to see the government make strengthening security a priority, as they are often looked up to as the gold standard.”
Kovalev pointed out that with official guidelines, all government agencies will be able to work towards the same robust standards within their infrastructures, and state and local governments will then be able to aspire to these guidelines, too, and follow them.
“The influence of this executive order should reach further than just government agencies and provide a set of standards that other business corporations can implement,” he said. “Having concrete, actionable guidelines like this is important and helpful not just for federal agencies, but for businesses in general.”
With attacks like SolarWinds and the Colonial Pipeline, it has become clear how malicious actors exploit vulnerabilities.
“It’s good to see detailed guidelines, with actionable timelines, to protect against attacks that can cost millions or disable parts of the government,” Kovalev said. “With official guidelines, all government agencies will be able to work towards the same robust standards within their infrastructures.”
He explained that for software developers, this means thinking about security from the beginning and standardizing best practices that are known to make for a more robust supply chain, which, as the industry found out from the Sunburst attack, needs more attention.
“The EO provides a framework and processes for developers to be more transparent and ensure the security of the software and products,” Kovalev said.
He added that the growing number of cyberattacks and security risks already have agencies and companies investigating or moving to zero-trust strategies.
“By mandating newer security models such as zero-trust for federal agencies, the EO sets a precedent for businesses to follow, and having this in an EO from the highest government authority will give corporate leadership an example on which to base their zero-trust policies,” he said.
Furthermore, a focus on zero trust highlights the assessment that users are ultimately the most prevalent attack vector. Hence, users’ access to the network should not translate to access to all of the resources on the network.
While recognizing that the government and private sector need to work together to combat cybersecurity, Kovalev said the EO does not go far enough in considering the private sector’s critical infrastructure, such as the Colonial Pipeline.
“The guidelines are just that – guidelines for private industry, and perhaps incentives or ‘energy star’ type rebates would encourage more companies to implement the measures,” he added.
Another major component of the EO is the need to share information across organizations and tools, an approach John Morgan, CEO at Confluera, said is already a key focus for many in the cybersecurity industry.
“Now, with a renewed focus by the government, IT professionals can expect an increasing need to integrate and interoperate different cybersecurity tools,” he said. “Organizations will seek to augment or complement existing solutions with new technologies for a much-improved overall security posture.”
Morgan explained that although the executive order applies to all types of infrastructure including cloud, on-premises, and hybrid, it’s clear that more and more organizations are relying on cloud services.
“As such, IT professionals with expertise in cloud services and various cloud security offerings will be in high demand,” he said. “Organizations will look to them to help interoperate various cloud security services and ensure cyber intelligence data are shared across all of them to the fullest.”
