You Can’t Unsee the Rabbit: Perspectives on the 2021 Cybersecurity Executive Order

Visual illusions are fascinating. As entertainment, they can astound us and surprise us. As learning tools, they make us rethink our assumptions. At their best, they give us new perspectives that can change our actual behavior forever.  

In one of my favorites illusions, the image below was presented in the 23 October 1892 issue of Fliegende Blätter, a German humor magazine. The viewer was asked to quickly say what animal they see in it. Half the viewers saw only a duck, and half saw only a rabbit. But all viewers, when prompted to identify the hidden animal’s separate features — a rabbit’s nose, a duck’s eye — were never able to say “only” again. 

Regardless of how firm their first impressions were, they could never “unsee the rabbit.”

Wikipedia says, “The illusion crystallizes the interplay between freedom (choice) and facticity (forced reality)… If you see just a duck, you may need to actively choose to work on seeing the rabbit too, and once you do, to then choose which you see at any given point.” 

This month’s “Executive Order on Improving the Nation’s Cybersecurity” is a strong document that outlines a solid plan for fulfilling the promise inherent in its title. But it forces new perspectives that may surprise some cybersecurity professionals, and that may cause them to rethink budgets and priorities. 

In essence, it forces us to see both rabbit and duck.   

Two new perspectives in particular rise to the top:

1. In the context in which the document defines “critical software,” along with the need to track, assure, and protect it, all firmware is critical software
2. Device integrity management is critical in the creation, execution, and operation of the “Zero Trust architectures” for which the order calls

In this post, we’ll outline a few of the reasons we can draw these points from the executive order. In parts two and three, we’ll dive into some of the details that support both perspectives. 

All Firmware is Critical Software

The Executive Order says,

“The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern.  Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”

Firmware is nothing less than the DNA of every device. It is the embedded code and microcode that, quite literally, tells every device how to act and how to behave — whether that’s a server, a mobile endpoint, a centrifuge, or a critical network device. In the same sense that “broken DNA” can cause immeasurable harm to any life form, “broken firmware” — firmware that’s been tampered with, is out of date, or is misconfigured — can cause almost any hardware or software system to fail catastrophically.       

For endpoints and servers, firmware represents the “code below the code” that lies underneath the operating system, the applications, and any updates or add-ons that are later layered on. But in the broader sense, code shipped with any kind of a device is manufacturer-provided firmware, subject to vulnerabilities and misconfigurations. Regardless of whether in endpoints or in devices, firmware operates at the highest level of privilege, has direct access to critical resources, is a foundational dependency for the OS and application software, and can cause extensive harm if tampered with — all of which were key criteria called out in the Executive Order at Section 2, Part G. 

Moreover, firmware is part of an extensive and hidden ecosystem that is subject to an increasing number of supply chain attacks and compromises.  

Zero Trust Strategies and Tactics Require Deep Device Integrity     

The Executive Order is bullish and direct on its call for Zero Trust strategies and tactics:  

“The Federal Government must adopt security best practices” and “advance toward Zero Trust Architecture.” 

To be clear, a requirement named “device integrity” is not specifically called out in the Executive Order. We make this leap — and we believe it’s a short leap — because the Executive Order so specifically calls for the adoption of Zero Trust architectures. 

One of the most fundamental tenets of Zero Trust architectures is to understand the risk and context around everyone and everything on the network. This includes devices, and it’s where we need assurance that every device — whether endpoint, server, networking device, or IoT device — is authenticated “as new” with every session, that standing privileges are not inherited, and that risks and integrity are continuously evaluated.  

Device Integrity is a solution that, in short: 

• Identifies device and device components — including related firmware — of all types throughout a broad mix of enterprise and personal networks: servers, endpoints, network devices, mobile devices, and even the bare-metal systems beneath cloud environments
• Verifies the current firmware version, configurations, provenance, and vulnerability status, filling a persistent gap in our current security postures   
• Fortifies these systems and devices by updating their firmware where needed, providing the option to easily mitigate vulnerabilities, and ensuring appropriate, secure configurations  

“Device Integrity management” is the class of solutions that delivers device trust in a time when all devices are under attack through firmware exploits, malicious code injection, and other routes. 

Zero Trust strategies are just beginning to be broadly understood. But they’re so fundamentally different from our perimeter-centric security strategies and our previous cybersecurity philosophies that they have been slow to be adopted, despite their clear efficacy. 

If Zero Trust strategies must assume default deny postures for either device or user access attempts and rely on contextual authentication methods — and if they must be granular down to the lowest authentication level and highly dynamic to account for the speed of our digital transformation efforts — it’s clear to see how these principles require device integrity.    

Read More on This Topic

Parts 2 and 3 of this blog series will dig deeper into these two points, providing references from the executive order, examples from other NIST documents, and giving real-world examples of these concepts in action.

The Wikipedia article on the rabbit-duck illusions we cited adds this about perception: “Several scholars suggest that the illusion resonates philosophically, and politically. Wittgenstein, as Le Penne explains, employs the rabbit-duck illusion to distinguish perception from interpretation. If you only see a rabbit, you would say ‘this is a rabbit,’ but once you become aware of the duality you would say ‘now I see it as a rabbit.’”

It’s my hope that on reading these upcoming posts cybersecurity professionals will see, in the Executive Order, both the criticality of firmware and the key role of Device Integrity in Zero Trust solutions. 

In other words, they’ll see both the rabbit and the duck. 

If you can’t wait for Parts 1 and 2, read or download the new Eclypsium white paper “The 2021 Cybersecurity Executive Order: Zero Trust, Firmware in the Supply Chain, and the Demand for Device Integrity.” 

For current info on the firmware vulnerabilities that affect device integrity, read the latest edition of Eclypsium’s Below the Surface Firmware Threat Report.