The security of the federal systems we support is our top priority at Easy Dynamics. So we were thrilled to see the recent Executive Order (EO) on Improving the Nation’s Cybersecurity capture some of the key security themes that we regularly promote, like information sharing, zero trust architecture, secure software development, and response capabilities.
Given the recent string of high-profile cybersecurity and ransomware attacks (e.g., SolarWinds, Colonial Pipeline, and JBS meat processing), this executive order could not have been more timely. Loosely aligned with the NIST Cybersecurity Framework, it introduces concepts that will likely be critical in preventing, detecting, and responding to future threats, which are expected to increase in terms of frequency and range of targets (see 2021 Verizon Data Breach Indicator Report).
While there’s a lot to love about this new EO, here are four of our favorite themes, which we consider critical to advancing our national cybersecurity.
Share, Baby, Share
In Easy Dynamics’ CISSP study group, amid the coffee and motivational snacks, we often discuss the fallacy of “security through obscurity,” the outdated notion that less information sharing means better security. In reality, it’s quite the opposite, especially for Federal IT contractors.
The EO gets it, stating that “service providers […] have unique access to and insight into cyber threat and incident information on Federal Information Systems.” To this end, OMB and the Federal Acquisition Regulatory Council are reviewing the FAR suite to remove barriers so contractors can track and share risk indicators in partnership with CISA and their host agencies. At the same time, CISA is developing stronger contractual provisions for reporting requirements, such as codifying indicators of fraud and attack. Taken together, contractors will understand what, when, and how to share cybersecurity information, and will be empowered to share it properly.
To form a more complete national risk picture, we need more avenues for private sector non-contractors to share information as well. The better data we have, the more we can understand who is being targeted. This also allows us to defend smartly, something that will especially help small businesses, who may not have the resources to conduct their own analysis. And it’s not just a one-way flow. The EO emphasizes intra-agency sharing as well, such as between DHS and DOD, and agencies reporting MFA information to CISA. This complements other recent memos that address information sharing directly between the government and individuals as well. For example, OMB Memo M-21-04 aims to enable the public to easily access their own personal information from agencies. By promoting secure information exchange across all sectors, everyone wins.
Trust, but Modernize
Information sharing via secure systems will require a modernized infrastructure, with strong digital identities at the center. We love the advances this EO promotes towards a Zero Trust architecture, a concept which NIST SP 800-207 describes as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
While modernization is a big task, we’re not starting from scratch – the EO leans on familiar institutions, like FedRAMP, to structure the upgrades, and allowing for compatible substitutions. FedRAMP is built around the concept that securing a federal system starts with securing its individual components, a theme the EO picks up as well.
Similarly, it’s true that private sector security directly affects federal systems. For example, in the tax world, one data leak at a payroll company can help a fraudster generate their own W-2, file a fraudulent return, and receive a refund. A compromised supply chain, as discussed further in the next section, can wreak havoc on any system that knowingly or unknowingly uses it. The EO emphasizes the private sector’s impact through initiatives like the new Cyber Safety Review Board, to be staffed jointly by federal and private sector representatives.
While many of the EO’s other private sector regulations only extend to system components sold to the government, we love that it introduces this important concept of public-private trust.
Addressing the weakest links in the chain
From the original Trojan Horse to the most recent SolarWinds attack – every product that enters the boundaries of an organization comes with risk.
The EO rightfully acknowledges that while the government has a critical dependency on commercial software products, the development of those products often lacks transparency, an ability to resist attacks, and adequate controls to prevent tampering by bad actors. If the security and integrity of software is already compromised during its development, the breach will affect all users of that software. The Solarwinds attack made clear that a compromised software supply chain has far reaching consequences for both software developers and their customers.
We are happy to see the EO charge NIST with further developing standards, procedures and criteria to enhance the security of software supply chains by implementing concepts like multi-factor, risk-based authentication, and conditional access across the enterprise. We also like the inclusion of the concept of a Software Bill of Materials (SBOM), which is an “ingredient list” that should foster transparency in software supply chain. If the original Trojan Horse would have come with a SBOM, the city would probably have thought twice before dragging it through the gate.
For software, SBOMs can help identify vulnerabilities and attack vectors. NIST has already begun to define what secure software development looks like and will build on existing efforts to standardize development through a framework.
Playbooks and linebackers
President Eisenhower once wrote that “peace-time plans are of no particular value, but peace-time planning is indispensable.” Government cybersecurity incident response planning and procedures vary across agencies, which hinders a comprehensive approach. The EO therefore calls to standardize the federal government’s cyber playbook so it can better respond to vulnerabilities and incidents.
We like that the EO makes CISA lead government-wide defense through review and validation of other agencies’ incident and response activity. Building on CISA’s existing vulnerability disclosure policy (VDP), the EO advances common cybersecurity playbooks and solidifies CISA’s role in developing them.
Conclusion
As the EO itself states, incremental improvements will fail to improve the nation’s cybersecurity. Bold action is required, and we believe the EO does just that. A strong partnership between the Federal Government and the private sector is needed, with much better (threat) data sharing as a key initiative. But rather than just a call for better cooperation, the EO also mandates that the Federal Government elevate its own cybersecurity practices by modernizing its cybersecurity infrastructure, setting new standards for enhanced software supply chain security, and developing government-wide playbooks and responses.
Easy Dynamics is excited to continue working with our government clients on these critical themes from the EO to improve our nation’s cybersecurity.