Understanding the ‘Improving the Nation’s Cybersecurity’ EO
Recently, President Joe Biden issued an executive order on “Improving the Nation’s Cybersecurity.” The order is timely, as the United States has recently fallen prey to multiple cyberattacks and ransomware attacks, putting many on heightened alert to risk and raising increased concerns about cybersecurity.
Why the Executive Order Came About
The executive order was likely in the works for a long time. The Cyberspace Solarium Commission, a nonpartisan commission that has been studying these issues and gaining attention, focused on the role of government in changing its strategic positioning. The fact that hackers and adversaries are having their way and being successful without much deterrence highlights that we don’t have a strong, less-than-military response as a matter of consistent policy.
SolarWinds had already happened. Microsoft Exchange and FireEye were also being exploited, so the timing was clearly right. This administration has been formulating their agenda and thinking how fast we are going to get an “all of government and industry” operational response out. The recent cybersecurity incidents likely accelerated the issuance of this executive order, but there’s a lot there; it’s very comprehensive. It clearly didn’t get written overnight.
Federal Contractor Requirements
The executive order has many facets. One of which sets time requirements for incident reporting and sharing information about breaches; federal contractors will have 72 hours to share information with the appropriate party, now. This will standardize guidelines, which generally have varied by agency. The objective seems to be getting to a level playing field; so, if you’re a government contractor working with many agencies, you hopefully have one way, one timeframe and one set of criteria to abide by. Standardization is the key, but that’s the hardest to get to. And there’s transparency—or making sure that there’s really a high degree of transparency—into what’s going on in the private sector that might affect government information.
Public-Private Partnership
The order also touches on the private sector and the need for trust and transparency between government and the private sector. The number of directives that apply directly to contractors is relatively small. But, if you’re a vendor providing services on behalf of the government via a cloud provider, there’s a lot of directive language in the order; however, there’s not a lot of other directive language around contractor systems, or which systems contractors use to run their businesses.
As we see some of the governmental directives take shape in the form of rulemaking and regulatory action, we’re going to see more specifics come out. The theme of trust transparency is top-of-mind. The government has recognized that many cyberattacks start and even end in the private sector, but that there’s sometimes government data involved; national security is involved. If they don’t gain that transparency—it’s not good enough to just be able to direct the actions of systems that are owned and managed by the government—it can be problematic, to say the least. They must be able to see what’s going on and include response actions for systems owned and managed by contractors.
A New Playbook for Incidents
The cybersecurity order talks about having a coordinated capability to detect attacks and respond to them across agencies. That includes things like detecting activity in endpoints, log management and access to those logs for forensic purposes. Extending that coordinated visibility response out to contractor systems is not something explicitly stated, but it should be.
If the government’s going to respond in a standardized way across agencies, they’ve got to include the contractor segment, or the response doesn’t get their desired results.
Moving Forward
The reality of how conflict happens between nation-states nowadays often involves a cyber component. This is basically peacetime activity, but it’s in the espionage realm more than the sabotage realm at this moment. This is how the great powers interact today.
This action has been going on now for some time, and it is the reality we live in. It is big enough and frequent enough to have a meaningful impact on us economically. And in terms of national security, you now can easily see some of these things that are happening spilling over into a less peaceful context.
