President Biden yesterday released an executive order designed to improve the government’s efforts to prevent and act against a growing number of malicious cyber campaigns against both the public and private sector.
The order is a result of an increasing number of cyber attacks in the United States. For instance, a recent ransomware attack forced the Colonial Pipeline to shut down the main part of its network, affecting fuel supplies across the United States. The firm is scheduled to resume service after shutting down for five days. Additionally, an attack on SolarWinds infrastructure last year comprised a number of federal agencies and businesses.
“You can’t protect what you can’t see. And too many organizations don’t have a full picture of what’s inside their software. Most aren’t even looking,” said Brian Fox, CTO of Sonatype.
A core part of the executive order is that the federal government will partner with the private sector to create a more secure cyberspace amid a continuously changing threat environment.
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” Biden wrote in the executive order. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
Within 60 days the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements will be updated and the recommendations will include descriptions of contractors to be covered by the proposed contract language.
Another aspect of the order is removing contractual barriers and increasing the sharing of information about threats, incidents and risks to accelerate incident deterrence, prevention and response efforts.
To keep pace with quickly changing cybersecurity demands, Biden ordered the modernization of Federal government cybersecurity by moving towards Zero Trust Architecture, accelerating the move to secure cloud services and centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.
The order also establishes a Cybersecurity Safety Review Board, co-chaired by the government and private sector to analyze major security breaches. In addition, the order aims to release a standard playbook for responding to cyber incidents by federal departments and agencies.
“There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern,” the order stated.
Sonatype’s Fox added: “While some companies are self-regulating their cybersecurity hygiene, in our software driven world it’s just not enough; daily breach headlines indicate that government regulations might be a necessary motivator for widespread action, which is why we’re eager to see President Biden’s support of several initiatives, including requiring a software bill of materials (SBOM). This move, in part as a government response to the SolarWinds breach, would finally bring software the accountability that standard BOMs do to other products we use everyday.”
How the industry is reacting:
Robert Cattanach, a partner at the international law firm Dorsey & Whitney: “What the Executive Order may be able to do, however, is lower the barriers to communication that could improve the ability of both public and private sector to detect and share threat information, which are substantial for many reasons: reluctance to admit security failures, fear of enforcement, contractual limitations, and simple inertia. By mandating prompt disclosure of cyber events by federal contractors, establishing a lessons learned process, and more rigorously vetting the reliability of newly defined “critical software” through the lens of a “Zero Trust Architecture”, the process-heavy Order will focus both attention and resources on a hugely vulnerable component of the day-to-day functioning of both the public and private sectors is undeniably. To be clear: vulnerabilities can never be completely eliminated: responding promptly and sharing critical insights however, can substantially limit the damages of any cyber attack.”
Andrew Shikiar, the executive director of the FIDO Alliance: “We welcome today’s directive from the Biden Administration and applaud its focus on the importance of multi-factor authentication. If there is one thing the attack on SolarWinds as well as the Colonial Pipeline ransomware attack reminded us, the private sector and public sector need strong security measures to protect critical infrastructure — and the FIDO Alliance believes this begins with authentication.
We urge government agencies to adopt only the strongest forms of MFA when complying with this directive. As CISA pointed out last September in its advisory on election security, the majority of cyber-espionage incidents are enabled by phishing, and FIDO security keys are the only form of MFA that offer protection from phishing attacks 100% of the time.”
Jeff Hudson, CEO of Venafi: “The new executive order is a swing and a miss from the government. Prescriptive regulations for the software industry simply will not work — the federal government cannot move quickly enough to effectively regulate how software is built.
Look at machine identities, for example. The SolarWinds attackers’ operation relied upon machine identities: X.509 certificates to stay unnoticed and OAuth App certificates to obtain access to cloud networks. And just last month, Gartner listed machine identity management as a top security concern for 2021. Despite all of this, the executive order completely overlooks the risk that machine to machine communication poses to our entire nation’s security infrastructure.
The only way the government can help protect individuals and companies from becoming victims of insecure software build processes is by incentivizing the software industry to build better. There needs to be strict financial repercussions for any company that fails to do so. This order, as it stands, will slow down software companies and give attackers the opportunity to innovate faster.”
Jyoti Bansal, CEO of Traceable and Harness: “It’s great to see the administration taking improvement of cybersecurity standards seriously. The gravity and widespread nature of the SolarWinds attack clearly demonstrates that the impact of nation-state cyberattacks has reached a new level of risk. There is so much software development behind how government agencies operate and interact with citizens these days. Like the SolarWinds attacks showed, that software code and all the third-party suppliers in the software supply chain are the next key vector of attack and will continue to be.
But prescriptive regulation alone is insufficient. We need industry leaders to adopt secure development practices and make security an unambiguous priority at all levels. Accountability is another part of the answer — the cost of security breaches should be sufficient to motivate vendors and IT professionals to make changes to proactively detect and prevent more vulnerabilities. The industry as a whole needs to shift security left — ensuring that security is implemented in the software development life cycle instead of waiting to add in security after products are deployed into production. Enforcing tighter software security standards is a must have for our government agencies and industry to remain safe from malicious foreign attacks.”