Biden Cybersecurity Executive Order: Ex-USSS Reflects
Ed Cabrera, former CISO of the US Secret Service and current Chief Cybersecurity Officer for Trend Micro, reflects on the effectiveness of Biden’s executive order and what organisations of all sizes can learn from it.
In response to the crippling ransomware attack on Colonial Pipeline, President Biden signed Executive Order 14028, “Improving the Nation’s Cybersecurity,” on May 12, 2021. Biden’s Executive Order aimed to protect critical infrastructure from further attacks by modernising the nation’s cybersecurity.
Reflecting on the past 15 months, I look at the effectiveness of the Executive Order, its challenges, and what CISOs from businesses of all sizes and sectors can learn to strengthen their cybersecurity strategies.
Overview of President Biden’s Executive Order on Cybersecurity
According to the factsheet published by the White House, the Executive Order addresses seven key points:
- Remove barriers to cyber threat information sharing between government and the private sector
- Modernize and implement more robust cybersecurity standards in the Federal Government
- Improve software supply chain security
- Establish a Cybersecurity Safety Review Board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cybersecurity incidents on Federal Government networks
- Improve investigative and remediation capabilities
The Executive Order also set several deadlines for implementing Zero Trust architecture, multi-factor authentication, and deploying endpoint detection and response (EDR) initiatives.
Other requirements called for CISA to develop and issue a cloud-service governance framework and cloud-security technical reference architecture documentation that illustrated the recommended approach for cloud migration and data protection.
Security wins and challenges
In November 2021, CSO reported that 19 of 46 mandated tasks were completed, but not all Federal agencies had reported their progress. And some may be unable to due to the highly sensitive nature of their work.
Regardless of whether your organisation was impacted, I’ve often said the security teams that succeed take a federal-first approach by aligning their security strategy to that of the Federal Government. As the logic tracks, the Federal Government must thwart the most advanced cyberattacks; therefore, the lessons learnt and derived strategy is helpful to all organisations.
With this in mind, let’s review the most significant “wins” and “challenges” for any business—not just those mandated—trying to implement the tasks outlined in the Executive Order:
Remove barriers to sharing threat information
Win: More mature threat intelligence and information sharing
Previously, information sharing lacked context, which made it harder to operationalise and used to defend networks. The industry shifted from manually passing PDFs of long lists of suspicious to malicious IPs to automated high-volume feeds with minimal context.
Now, information is shared through standardised frameworks like the MITRE ATT&CK Framework, which provides the context security teams need to investigate and remediate cyber threats.
Challenge: Legal liability
Private industries may be hesitant to share threat intelligence or IoCs because it may contain sensitive or classified information that, if wrongfully shared, could lead to litigation. Additionally, anti-trust issues exist when competitors share information. Even though progress has been made in the last two years to alleviate legal challenges around redacting sensitive information, widespread intelligence and information sharing are still not occurring at the level they should.
Challenge: Lack of nuance
The definition of Zero Trust is comprehensive and often has several interpretations. An organisation’s architecture and whether it's built on implicit trust will impact how Zero Trust is implemented. Some organisations are often only focused on implementing MFA and calling it a day, while more mature businesses are looking to implement it across all the five pillars of the Zero Trust Maturity Model outlined by CISA. The maturity model provides agencies with specific examples of a traditional, advanced, and optimal zero trust architecture.
Improve software supply chain security
Win: More awareness
I’ve noticed a substantial increase in awareness around the challenges organisations will face if they don’t improve their software supply chain security. This has led to other initiatives being promoted in line, like the Software Bill of Materials (SBOM).
SBOMs, by their definition, provide a formal record containing the details and supply chain relationships of various components used in building critical software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product, which helps security teams better identify and assess risk.
Challenge: Open source code
According to many reports, open source software (OSS) usage continues to grow. By some surveys of enterprises, that number is as high as 80%.
Our closest partner on DevOps, Snyk, who integrates with developer tools and workflows to continuously find and automatically fix vulnerabilities, has found through their research documented in their State of Open-Source Software Security 2022 Report that many organisations are unprepared for dealing with OSS risks.
Specifically, they found that:
- 41% of organisations are not confident in their open-source software security.
- The average application in development contains 49 vulnerabilities and 69 dependencies.
- The time it takes to fix vulnerabilities in open-source projects has steadily increased, doubling from 49 days in 2018 to 110 days in 2021.
- 51% of organisations don’t have a security policy for OSS development or usage.
- 30% of organisations without an open-source security policy readily recognise that no one on their team is responsible for addressing open source security.
Open source code continues to be a Catch-22 for businesses; while it’s essential for developers who need to build at the speed of light, it poses significant security risks. It’s difficult for teams to identify the different aspects of open source code in software without the proper tools and partnerships, leaving them vulnerable to attacks. I consider secure code development as priority #1 regarding software supply chain security.
Create standard playbooks for responding to global software supply chain exploitation events
Win: More resiliency
Playbooks are incredibly effective in preparing for cyber-attacks and campaigns, with the caveat only if practised and exercised regularly.
Playbooks are highly effective because they enumerate what to do and when. The faster you can patch a vulnerability, the more resilient your systems will be. This is especially crucial considering the time to exploit has gone from over a month to just hours. I’ve noticed that organisations are often victims of inefficient or broken processes rather than the critical vulnerabilities themselves.
Challenge: Security isn’t one-size-fits-all
On the other hand, playbooks to respond to global software supply chain exploitation events are few and far between.
Frameworks are great places to start when establishing your organisation’s playbook but don’t forget to factor in your unique IT environment and geo-specific compliance regulations.
Improve detection of cybersecurity incidents
Challenge: Lack of visibility
Large organisations have 50-60 solutions in a security stack, which slows down threat activity data collection and correlation. The slower the mean-time-to-detect (MTTD), the more time an attack has to spread deeper into your architecture. More point products, more problems.
The lack of funding and responding to unfunded mandates is underscoring all these challenges. It further compounds the consistent pressure to improve security and compliance quickly. A good place to start is consolidating your point solutions on a unified cybersecurity platform so you can improve security efficiency, increase automation, and reduce costs.
Shifting from point solutions to a unified cybersecurity platform with comprehensive third-party integrations enables security professionals to identify and mitigate cyber risks with velocity across all attack surfaces.
Consider a platform with XDR capabilities to collect and correlate data across the platform’s solutions to detect, respond, and remediate cyber threats faster. XDR also replaces the work of eight full-time employees, which helps businesses suffering from the cybersecurity skills gap.
For more information, check out these resources: