The Cybersecurity Executive Order (EO), like its predecessors, has garnered huge attention within and outside the government.
While it can be considered disputable whether EOs have historically made the intended impact – as successful attacks on federal networks have only increased in numbers and severity – we will evaluate the potential impact of President Biden’s latest order.
It has 11 sections, of which three are administrative, while the remaining provisions make up the heart of the EO.
Let’s look at the three sections and assess their potential to be “bold changes” that rapidly reduce risk across the federal enterprise. We’ll also assess the potential impact to the other sectors.
Removing Barriers to Sharing Threat Information
In this section, the case is made that contractual barriers “may” limit sharing of critical threat information by IT, OT, and cloud service providers that have “unique access” and visibility to cyber threat activity on Federal Information Systems to other federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Chest of drawers of Investigation (FBI), and other elements of the Intelligence Community (IC).
Without question, sharing timely and actionable threat information for incident responders to quickly detect and respond to cyber attacks is paramount. However, this order asserts that removing these barriers “are necessary steps to accelerating incident deterrence, prevention, and response.”
The need to revamp and streamline ICT procurement processes and eliminate contractual barriers is not necessarily bold, but it is clearly needed and will have a longer-term impact. What’s not made clear is how removing these barriers to said agencies will accelerate incident deterrence and prevention.
The benefits to CISA, the FBI and the IC are obvious but operationalizing this access to meaningfully speed up deterrence and prevention is an entirely different proposition.
The impact to IT, OT and cloud service providers, on the other hand, will be significant as they will be mandated to collect and preserve data, information, and report relevant cybersecurity events on “all information systems over which they have control.” This government visibility and subsequent regulation could increase the focus of providers and their non-government customers to shore up their cloud security.
Modernise Federal Government Cybersecurity
In this section, it is quite clear that the focus is on planning and implementing Zero Trust Architecture and the accelerated use of secure cloud services that include Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) with special focus on centralised cyber data analytics to manage cybersecurity risks across the federal enterprise.
Prominently featured here is the modernisation of the Federal Risk and Authorization Management Programme (FedRAMP) and the mandate for federal agencies to adopt multifactor authentication and end-to-end encryption.
Much of cybersecurity modernisation outlined in the order is not new. The federal government issued a "cloud first" policy in 2010 to reform federal information technology management. In 2011, the Office of Management and Budget (OMB) established the Federal Risk and Authorization Programme. However, other sectors since then have outpaced the federal government in adopting secure cloud technology and services.
As my good friend and colleague Greg Young espouses, Zero Trust is not new either it’s the evolution of many guiding security concepts and controls going back 30 years from Deny-All firewalling to least-privilege. While this effort is not bold or new the impact of adopting cloud security automation and analytics under a Zero Trust framework is high and immediate.
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
The EO explicitly outlines a two-pronged approach here.
- Agencies must sign or update their Memoranda of Agreement (MOA) with CISA’s Continuous Diagnostics and Mitigation Programme to improve their visibility of cybersecurity vulnerabilities.
- The launch of a government-wide Endpoint Detection and Response (EDR) programme coupled with an improved information sharing programme.
Theoretically, these would improve agencies’ ability to detect malicious cyber activity on federal networks.
These approaches are, again, neither bold nor new, but they can rapidly reduce cyber risk on federal networks – though not to the scale for which the EO hopes to address.
Historically, the challenges to CISA and CDM programmes have not been limited to budgets and authorities but rather to strategy and execution. Centralising and storing the entire.gov list of known vulnerable assets at any given moment poses a huge risk and concern to many Agency CISO’s. This has been a concern since the inception of CDM – one I faced as CISO of the U.S. Secret Service.
The second approach is the notion of launching a government-wide Endpoint Detection and Response (EDR) programme. This will be a logistical and procurement impossibility, not to mention yesterday’s approach.
The Department of Homeland Security alone has 22 distinct agencies with varying budgets and limited human capital with varying levels of EDR and EPP deployments. This coupled with the knowledge that some agencies have already evolved beyond EDR to XDR solutions makes this the least probable or impactful outcome of the EO.
XDR significantly improves upon EDR capabilities as it adds real-time context to data from the network, cloud, endpoints and email/web gateway. This data correlation and contextualisation speeds up detection and response. However, limiting the mandate to require EDR solutions – let alone one that spans all Agencies – is only a half-step in the right direction.
While it offers more hype than substance, this Cybersecurity EO still addresses many of the challenges that federal network defenders face. Even though many of the actions had suspense dates between 60 and 120 days, increasing threat sharing, modernising cybersecurity systems, and improving threat and vulnerability detection will have a greater impact over the long-term.
Where this EO is most lacking is in properly addressing the people and resource issues faced by all federal government security teams, as well as the overall vulnerable state of the nation’s critical infrastructure.
Just like waiting for the next season to drop on Netflix, we’ll have to wait to see the extent of the impact the EO will have. But I do have hope that these steps are in the right direction toward enabling existing resources to better protect the country.