In May 2021, President Joe Biden signed the 30 - page Executive Order (EO) on Improving the Nation’s Cybersecurity covering a host of cybersecurity issues. It mandates that Executive branch agencies deploy multifactor authentication, endpoint detection and response, and encryption. It also describes how government agencies should evaluate the software they buy and calls for these agencies to adopt "zero trust" architectures and more secure cloud services.
Some of the Executive Order’s focused efforts include:
With implementation of the Executive Order well underway in the federal government, we sat down with Kevin Kerr, Lead Security Principal Consultant at Trustwave and former Chief Information Security Officer Oak Ridge National Laboratory, to take a look at the EO’s impact and progress to date.
Kerr: The EO has brought around a refocusing of the cyber community. The EO has undertaken numerous initiatives many of which are meant to enable collaboration across the public and private sectors with respect to contracts with the government, incident response and reporting, software security, etc. This is all good. There is also a lot in the EO that requires the government to establish requirements that need to be developed and implemented, and this will take some time to come to fruition. Once this is all done there will significantly rework and changes to be made. While I am hopeful that this will move the needle forward, I am cautious because in 2012 the Continuous Diagnostics and Monitoring (CDM) program was kicked off and is still being worked through if that gives you any indication of the difficulties’ of implementing this type of ambitious program.
This being said, a key point within the EO is Zero Trust. The main concept of Zero Trust, least privilege and know what is doing what to what (technically speaking), have been around for a long time; however, many organizations have struggled with this and have yet to fully implement it successfully. Specifically, federal agencies are redirecting their focus on explicit trust of identities and assets.
Some parts have had moderate success with tools like multifactor authentication (MFA), but we must keep in mind that Zero Trust is not a tool, but a collection of concepts and ideas to enforce least privileged access for users, services, etc. only to what is needed. I have seen marginal improvements in organizations with large budgets and cyber staff. These are typically within organizations that have oversight from external organizations such as financial institutions and some government entities, and in cases where they may be life or safety concerns. I think many organizations are in and wait and see mode, so they do not have to things multiple times.
Q: From your perspective are Federal agencies moving along and making the changes required in the EO at a good pace, are they ahead of the game or behind?
Kerr: It is hard to say if the changes are taking place at a good pace, it really depends on your point of view. Federal agencies were given a deadline of 2024 (OMB Memorandum M-22-09) and getting the money for all this, changing architectural design of systems and networks, hardening the infrastructure, and getting the right people and processes in place to do all this by then will not be easy. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has to create all the governance around this quickly to allow organizations to manage towards a defined ‘end state.’
As long as bad actors can still do damage, many would say we are not ahead of the game but at least we are moving at good pace and in the right direction. Efforts taken by organizations associated with zero trust (e.g., MFA, architectural/information segmentation) and to enhance monitoring/detection/alerting/sharing to address the order have helped these organizations harden their environment. As such, attackers redirect their attacks to target softer environments. This redirection has increased attacks on the softer targets, (e.g., small businesses, shared resources) which in turn has increased the threat from the supply chain. Getting ahead of the game is a difficult task with today’s threat environment. It is all about managing the risk and where to apply limited resources.
Q: What are several of the most important steps that have been implemented so far as required by the EO?
Kerr: This question, at this time, is hard to answer since there are no required metrics currently in place by the Federal government of what specifically to do and how to verify and validate what is done.
Personally, I have seen an increase in partnerships between the vendors and users to collaborate, share information, and work together to solve issues and start to reduce technology sprawl and establish some semblance of an ‘end state.’
Some new regulatory requirements are being implemented that in the long run will have a positive impact; however, today these requirements are coming through so fast the cybersecurity staffs are unable to properly processes them nor can the technology respond to the threats. This situation is causing unwanted redirection of limited resources especially when compared to the nation state threats and all the other miscreants that are attacking.
Q: Are there any requirements that have not yet been completed that you feel are important and should be expedited in the coming months? Please name them.
Another key component to the EO was an increase in information sharing from the private sector to the federal government through updates to Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS). Unfortunately, this is still behind especially when it comes to reporting incidents. In this vacuum, I have seen many states establish rules and regulations that lead to many different requirements that may create confusion. Another area that is lacking is the establishment of software requirements for defining critical software and software development frameworks. There are also some shortfalls when it comes to Internet of Things (IoT) in that these measures are still being developed and the ability to manage IoT and the converged environment of information technology (IT) and operational technology (OT)/IoT is not sufficiently robust or fully integrated in daily operations.
Q: Is the EO as it now stands sufficient to keep the federal government on the right track when it comes to cybersecurity or does it need to be updated in the near future? If so, what needs to be added to the EO?
Kerr: I think this is a good start and gives enough direction for action. I was glad to see that it did not tell the cyber community how to do things as that never really works and would have stifled creativity and workable solutions by those in the trenches. The cyber threats, risks, and impacts are in constant change and no document can keep up with it. We should constantly strive to improve beyond this. I think that some of the processes and organizations being established for sharing information will help everyone keep up with the constant changes of the threat landscape.