On May 12, President Biden issued Executive Order 14028 focused on improving the nation’s cybersecurity posture. The order follows the recent cyberattack on one of the nation’s largest pipelines, Colonial Pipeline, in which Russian organized crime successfully inserted ransomware into the controls of the pipeline. The attack effectively halted 40% of fuel supply and resulted in a ransom payment of $5 million.
The order also comes months after one of the most catastrophic cyberattacks against America known as the SolarWinds hack. Texas-based IT company SolarWinds supplied software to the federal government, and during development of the software itself, Russian intelligence operatives inserted malicious code that coopted the system to divulge secret information. This one supply chain attack alone is estimated to have affected more than 18,000 customers in addition to the federal government.
The executive order largely takes aim at government policies and processes; however, there is at least one section aimed at the civilian space; i.e. the IoT and consumer products. Further, companies intending to do business with the federal government will have to comply or risk being unable to do business.
As a general statement, the operative portions of the order seek to (1) coordinate government efforts and reduce compartmentalization of cyber risk and attack response within the government, and, (2) will do so via widespread use of the National Institute of Science and Technology (NIST) security frameworks.
Moreover, the order requires the federal government to move quickly to cloud-hosted services and to adopt a zero-trust framework. “Zero-trust” includes as a software system policy that no one has authority to access or do anything unless specifically authorized to, as opposed to system settings (policies) that assume users may access all and/or change the system unless not permitted. If there was ever any question that cloud computing is more secure than self-hosted, that question has now been answered.
Interestingly, the order outright requires the adoption of multi-factor authentication and data encryption within 180 days. Those agencies unable to comply must provide a written report explaining why they are unable to comply.
By federal government standards, changes are to take place at a blistering pace, with the change function to be begin within 60 or 90 days. The order is in 10 parts which are briefly discussed below.
Section 1 of the order describes the current state of affairs regarding cybersecurity in the federal government. That is, cybersecurity and response is largely siloed off between different agencies.
In response to Section 1, Section 2 focuses on requiring agencies to share threat information among government contractors via removal of contractual prohibitions that hinder threat information sharing.
Within 60 days, the Office of Management and Budget is to provide recommendations on changing government regulations for the purpose of “[r]emoving…contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies' systems and of information collected, processed, and maintained by or for the Federal Government.”
Within 90 days, the proposed changes to the federal regulations will be published for comment, and within 120 days, data sharing is to commence. The order goes on to require prompt reporting of cyber incidents when discovered.
Further, the order requires the development of standardized common contractual cybersecurity requirements for unclassified systems, including review of current agency-specific requirements for standardization. That is, Section 3 provides:
The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
In other words, the federal government has 60 days to update existing plans to migrate to cloud technology and implement “Zero Trust Architecture” per the steps outlined by the NIST for such systems. The order provides for longer periods of time to take other related steps that included a requirement for the development of a cloud-service governance framework, as well as a description of services available to the federal agencies in the event of a cyber incident.
Section 4 provides for the enhancement of software supply chain security which is an obvious necessity given the recent SolarWinds hack. Somewhat of a non-sequitur given that it is not directly aimed at the federal government is the requirement in this section that requires the creation of pilot programs for the education of consumers on the Internet of Things (i.e. “IoT”) security, consumer labeling of such devices and the like. This order provides for the case of the eves-dropping Internet-connected refrigerator hijacked to stop working at the most inopportune time. A single hacked refrigerator is a punchline to a joke, but a broad-based attack designed to take down a thousand refrigerators in a local area is a realistic problem (i.e. a snack-attack).
Section 5 provides for the creation of a “Cyber Safety Review Board” under the auspices of the Attorney General and the Secretary of Homeland Security. The Board is tasked, in a general sense, with reviewing the current state of affairs and making recommendations for improving cybersecurity and incident responses practices. The order provides more specifics.
Section 6, titled “Standardizing the Federal Government's Playbook for Responding to Cybersecurity Vulnerabilities and Incidents,” requires the Secretary of Homeland Security to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB [federal civilian executive branch] information Systems.” Candidly, this is something that all organizations, and not just governmental ones, should be doing as a part of best practices.
While slightly different, Section 7 enhances detection of vulnerabilities and incidents on federal government systems. Section 8 covers investigation and remediation of those detected issues.
Section 9 relates to National Security Systems and essentially keeps in place national security requirements as previously promulgated. Section 10 consists of definitions for this jargon-laden cyber executive order.
So, what does all this mean? It means the government is finally getting serious about security. Which suggests that private entities should be doing the same.
