Expected impact of the executive order improving cybersecurity

The President of the United States has issued an executive order concerning cybersecurity.  https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

This is my rapid-response analysis.

The order was undoubtedly in preparation for a considerable amount of time, but it was released following the ransomware attack on the Colonial Pipeline in the US, which carries petroleum products along most of the East Coast.

Technically, the executive order applies only to US government contractors, but many of the provisions apply to the entire supply chain leading up to these directly specified customers.  As a result, most of the orders will impact to varying degrees any company that does business with a government contractor as well as any government t contractor or supplier.  An executive order cannot compel companies that are not government contractors to change what they do, but those who do not may be excluded from doing business with the government and any of its contractors or suppliers, so it, in effect, applies to almost all companies.

The executive order is intended to do several things:

·       Remove barriers to sharing threat information, primarily between the government and private entities, but it will also have the effect of making it easier to share information among private entities.

·       Strengthen cybersecurity standards.

·       Mandate the wider use of zero-trust methods and architectures.

·       Require software developers to maintain greater visibility.

·       Make public security information so that consumers can evaluate the security of a software system.  As an outcome it establishes an “Energy-Star” like program for rating software security.

·       Mandate the use of multi-factor authentication where appropriate.

·       Strengthen the requirements around encryption at rest and for data in motion.

·       Establish a cybersecurity review board.

·       Create a standard playbook for responding to cyber-incidents. I predict that this will end up being a mandate that each company have a standard procedure for dealing with cyber-incidents.

·       Improve capabilities to detect cybersecurity incidents

·       Improve investigative and remediation capabilities.

Analysis

The order provides a lot of common sense ideas for how to improve cybersecurity—common sense, that is, if you spend your time thinking about cybersecurity.  Nothing in the order seems outlandish or overly burdensome.  Cybersecurity is the grand challenge of the 21^st Century and it is increasingly obvious that we need to pay a lot more attention to it.  Cybersecurity failures are expensive and highly damaging to the reputations of those organizations that are attacked.

The order discusses removing the contractual barriers that prevent companies from sharing information about cyberattacks.  Although strictly, these barriers include only those in US federal contracts, there will be increasing pressure to share information among all concerned parties.  Any information relevant to cyber incidents or potential incidents must be reported promptly to relevant government agencies, using industry-recognized formats. The extent of sharing will certainly increase, but it will still require a careful balance among business interests, privacy, and coordinated defense.

The focus of the order is to bring systems up to modern cybersecurity standards. NIST, the National Institute of Standards and Technology has been very active in creating these standards.  Organizations may need to review their security standards to be sure that they meet current standards.  I would expect, in addition, that future standard will be developed that will require additional investments.  The order contains an intention to invest in technology and personnel to match the modernization goals.  It will require congressional action, however, to actually fund these good intentions.

The order mandates transitioning to Zero Trust Architecture.  The order defines Zero Trust Architecture as “a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”  This framework allows users full access to the specific computational features that they need to perform their jobs.  Traditional security architectures put all of their effort in defending the perimeter of a network.  Once through the firewall, an attacker would essentially have free range because all machines within the firewall were considered fully protected.  Zero Trust Architecture reverses that assumption.  Every machine is suspect, no matter where it located until it is verified that the machine has a need for access to a resource and permission to access it. 

Defenders have to correctly defend their systems every time, but attackers need only succeed once.  It is no longer a matter of whether attackers will pierce the firewall, it is when and how will they find a way to do it.  Therefore, internal as well as peripheral defenses are necessary, and Zero-Trust Architectures provide a framework for that internal + periphery protection.

The order requires new documentation and compliance frameworks.  These requirements may impose some additional requirements on how companies document their processes and products.

One of the most impactful features of the new order is its focus on preventing supply chain attacks.  It requires software that can resist attacks and detect tampering.  Each provider will be required to verify that its software has not been compromised, including any software that is used for development and deployment as well as in the components that are used.  The government, with the involvement of the relevant parties, will be developing guidelines that can be used to evaluate software security, including the practices of developers and suppliers.  These parties will need to demonstrate their conformance with secure practices.  The guidelines are expected to include (quoting from the order):
          (i)     secure software development environments, including such actions as:
              (A)  using administratively separate build environments;
              (B)  auditing trust relationships;
              (C)  establishing multi-factor, risk-based authentication and conditional access across the enterprise;
              (D)  documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
              (E)  employing encryption for data; and
              (F)  monitoring operations and alerts and responding to attempted and actual cyber incidents;
          (ii)    generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i) of this section; 
          (iii)   employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
          (iv)    employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release;
          (v)     providing, when requested by a purchaser, artifacts of the execution of the tools and processes described in subsection (e)(iii) and (iv) of this section, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated;
          (vi)    maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;
          (vii)   providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
          (viii)  participating in a vulnerability disclosure program that includes a reporting and disclosure process;
          (ix)    attesting to conformity with secure software development practices; and
          (x)     ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.

Companies will need to provide a software bill of materials that reflects all of the components included in the code.  Modern code often contains many components, some of which are purchased, some are open source, and some are developed in house. Each of those components could introduce malware in what is called a supply chain attack.  The attacker corrupts the component during its development, without the producer’s knowledge.  The producer distributes this corrupt component and certifies that actually comes from the producer, lulling its users into a false sense of security.

The order includes an effort to build a security rating system that can be applied to IoT (Internet of Things) and other systems.  This rating system is intended to mimic the Energy Star ratings and make it easy for customers (individuals and government agencies) to determine that a system has been evaluated for security and what its status is.

The order mandates the development of a standard set of procedures for dealing with cybersecurity incidents.  From the private sector point of view, I expect that this mandate will end up being a requirement that each party have in place standard operating procedures for dealing with these attacks and for communicating about them with the government and the public. 

An important opportunity for innovation is the mandate to improve detection of cybersecurity vulnerabilities.  Right now, we are very effective at blocking malicious activity the periphery (e.g., at the firewall), but we have seen that not all attacks come in through the same channels.  We would benefit from a capability that identified evidence of an attack from within the network. Eventually attackers will get into the internal systems and we will need Endpoint Detection and Response measures to detect the presence of attackers and remove them.

The order is very clear about the need for security-related logs to be protected by cryptographic methods.  Providers may need to adjust some logging procedures to meet this requirement.

Conclusion

Overall, many of the mandates of this order involve features that are already known or are in development.  The mandates for how suppliers develop and deliver software are likely to be the most impactful.  If nothing else, this order highlights the need for enhanced cybersecurity, which should make it easier to persuade organizations of the importance of these measures.