How to Comply With Biden’s Executive Order on Cybersecurity
On May 12, President Joe Biden issued his 44th executive order of the year– and his first targeting cybersecurity. The executive order is primarily concerned with protecting federal networks from cybersecurity threats, with many of its requirements aimed at federal contractors.
Additionally, the order functions as a call for a more generally secure cyberspace, and urges the private sector to adapt to evolving threats and put more focus on security. “We encourage private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents,” reads a White House press release regarding the executive order.
ADCG spoke to Unified Technology And Communications Advisory Group (UTACAG) CEO and cybersecurity expert Harper Anderton about the significance of the executive order–and how to develop a compliance strategy.
Security Incidents Must Be Reported
It should go without saying that refusing to report a cybersecurity incident as soon as possible is antithetical to a safer privacy environment. However, it certainly happens. “Any organization that has been involved with government contracting should already be doing that,” says Anderton. “I think part of the problem that it is trying to address is that companies won’t admit that they’ve been hurt or that they’ve been attacked.”
The government is aware of the barriers that prevent or discourage IT providers from sharing information about privacy threats. It should be no surprise that the government doesn’t consider damage control or fear of accountability as legitimate reasons to keep quiet: when an organization chooses not to report a security incident, it prevents agencies like the Federal Bureau of Investigation (FBI) from analyzing how it happened and what can be done to prevent similar incidents in the future.
However, the more drastic change is that contractual obligations can no longer prevent providers from sharing breach information that could impact government networks. When a private entity has information that the security of government networks may be compromised, it is mandatory that they share that information with the government.
Within 60 days of the order, a handful of government agencies will collaborate to solidify requirements ensuring that providers:
Collect and preserve data relevant to cybersecurity event prevention, detection, response, and investigation on all systems over which they have control, including those operated on their behalf
Directly share data, cyber threat information, and incident information with relevant government agencies, when it is related to actual or potential cyber incidents
Collaborate with federal cybersecurity or investigative agencies in their investigations of or responses to incidents, including monitoring networks for threats
The Secretary of Homeland Security still needs to iron out details regarding what types of incidents require reporting, the time periods for incident reporting, and the types of contractors or providers that must comply. However, it’s already clear that reporting must occur within 3 days upon initial detection for the “most severe” cyber incidents.
The government is also establishing a Cybersecurity Safety Review Board that can analyze significant cybersecurity incidents and make educated recommendations to avoid similar issues moving forward. Likewise, the executive order creates a “standardized playbook” for cyber incident response so that public agencies and the private sector can know the baseline steps to take to mitigate a security risk.
This executive order will likely be just another step towards the normalization of spending money and resources towards educating your employees on cybersecurity-related threats and working with software vendors to develop resources that make it harder for attackers to exploit your vulnerabilities.
For Anderton, this is a step in the right direction. “I think a lot of the issues were that organizations were not really adhering to the requirements. Because it takes money, it takes time, it takes effort. And they knew, at the end of the day, that nobody was going to check.”
In addition, organizations didn’t want to publicly admit to an event that undermines their security, diligence, and brand. In some cases where customer or financial information hasn’t been stolen, it might not even be worth it for organizations to pay the ransom to get the encrypted data back, so reporting an incident might pile on unwanted pressure.
New Security Standards for Software Sold to the Government
The government is officially raising the bar for the software it uses, pointing out that much commercial software lacks transparency, resistance to attack, and adequate controls to prevent tampering by malicious actors– especially software that affords elevated system privileges or direct access to a customer’s network.
The broader goal is for developers to increase customer transparency into their software, through practices such as making security data public. Once transparency is established, the government and the public can determine whether the software was developed securely.
In the long term, the government is aiming to publish a set of guidelines regarding best practices for software supply chain security. Expect more specific standards for software development environments including auditing, multi-factor authentication, encrypting data, responding to attempted cyber incidents and minimizing dependencies on specific enterprise products used in the software development process.
Since software developers are eager not to rule out the government as potential customers, these heightened standards might pave the way for a more secure software supply chain overall.
A More Modernized Federal Approach to Cybersecurity
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the federal government must take decisive steps to modernize its approach to cybersecurity, including by increasing the federal government’s visibility into threats, while protecting privacy and civil liberties,” reads the executive order.
There’s something inherently promising about a country that is yet to establish a comprehensive federal data privacy bill pledging to advance towards Zero Trust Architecture, secure cloud services, constantly deploy multi-factor authentication or encryption and streamline access to cybersecurity data in order to properly analyze privacy risks. That being said, the values central to this executive order would feel hollow without written, detailed commitment on the government’s end.
One of the more concrete changes is the enabling of a government-wide endpoint detection and response system in an effort to improve information-sharing within the government. This is explicitly an attempt by the government to avoid vulnerabilities caused by “slow and inconsistent development of cybersecurity tools and practices.” Similarly, federal departments and agencies now have requirements for cybersecurity event logs.
“It’s a start,” says Anderton. “It only applies to government agencies and government contractors, and there are already a number of initiatives in place [for that].” However, the executive order may be more about sending a message than any practical regulatory impact on the way things are done. “I think it is a way to wake up and shake up a lot of the areas to say: you do have to take this seriously.”
Anderton maintains that those most vulnerable to phishing and ransomware attacks are not government contractors but employees of small to medium-sized businesses. “It only really addresses a small part of the problem. The bigger issue is education and coming up with the policy directions of how to deal with it.”
Sources:
https://www.jdsupra.com/legalnews/cybersecurity-executive-order-4427766/
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/
https://www.natlawreview.com/article/key-takeaways-president-biden-s-cybersecurity-executive-order
https://www.jdsupra.com/legalnews/president-biden-s-cybersecurity-2842324/
https://fcw.com/articles/2021/05/12/cyber-executive-order.aspx