Pitched as a response to SolarWinds and the string of high profile breaches, President Joe Biden's Executive Order on Improving the Nation’s Cybersecurity operates on a variety of levels. At the core, there are specific recommendations to improve federal cybersecurity, including improvements in the security standard for federal purchases, developing a playbook for response, and requiring a modern suite of security techniques, including endpoint detection and response and a zero trust architecture.
But the order goes much further, creating a National Transportation Security Board-type system to deconstruct lessons after major breaches. It requires federal contractors to report breaches that could impact national security to the government. It even creates a labeling system for IoT products. All of these efforts create potential for far-reaching impact across public and private sector organizations.
“If two or three years ago, a similar executive order had been issued – if the dollars had been aligned for those actions and if the agencies had actually implemented them – I don't know if we would have stopped SolarWinds, but the probability would have been higher,” said Tom Gann, chief public policy officer at McAfee. “I think, at a minimum, we would have been able to see it earlier.”
So with many cybersecurity experts expressing optimism about the goals of the order, what might the community expect?
What it is and what it isn’t
The order received overwhelmingly positive reviews for its layered approach, especially for its inclusion of granular detail on required cybersecurity practices at agencies.
“There are some very sexy things in there. The safety review board is going to be a sexy thing, but you have to deliver on these detailed, unsexy IT requirements,” said Jonathan Reiber, senior director for cybersecurity strategy at AttackIQ and former chief strategy officer for cyber policy at the Department of Defense.
Reiber singled out the move toward zero trust, EDR and automated testing as, quietly, the most important parts of the order. Layered on top of federal requirements are also attempts to secure the consumer and business market by improving supply chains and leveraging federal buying power.
That said, while the order is large and comprehensive, it isn’t the end of cyber policy. “The order is not a panacea,” said Bill Wright, director of federal government affairs for Splunk.
Noticeably absent from the executive order for example are specific measures to address ransomware. The administration and Congress seem to be addressing that matter through separate efforts, many of which were touted in response to the attack on the Colonial Pipeline that demonstrated first hand the trickle down impact when critical infrastructure is targeted. Several of the widely proposed suggestions can be pursued by the administration without congressional involvement – including using Cyber Command to interrupt ransomware operations. The administration also noted efforts for increased international cooperation for ransomware, and created a Department of Justice task force to focus on the issue. But other key suggestions like requiring federal notification of ransomware attacks requirement alignment with the Hill.
The administration also released what is thought to be the first of several executive orders concerning industrial systems. That order, released in April, targeted the electric grid and power.
What comes next
The order includes a frantic amount of work for government networks, with some suggesting the timeframes given to upgrade standards may be narrow.
“The agency timelines are extremely tight. So the war will be won or lost in the implementation stage on EO,” said Wright.
While the executive order is meant to directly upgrade federal networks, it demonstrates a concerted effort to influence the business and consumer marketplaces through its purchasing power. That in turn may have pretty widespread impact on security: By raising the bar on cybersecurity in procurement, the federal government guarantees that delineated products meeting a certain standard are brought to market. Manufacturers are sometimes reluctant to sell more than one version of a product; increasing standards may lead to the outright elimination of less secure alternatives.
“If you give capitalists a way to make more money, you're you're a hero,” said Mike Hamilton, former chief information security officer of Seattle and CISO of government cybersecurity firm CI Security.
The order offers several sections of direct outreach to businesses, including its intent to make the incident review board a public private partnership headed by industry. That, Reiber said, "has the potential to be transformative." The effort is modeled after the NTSB review board, which created a case history for government, manufacturers and airlines to deconstruct for their joint preparedness, and ultimately led to technologies like the black box flight recorder. It may give stakeholders a chance to avoid mistakes by learning from other incidents.
“The Solarwinds intrusion is the biggest cloud intrusion or the biggest intrusion in terms of scope that's happened to the federal government,” Reiber said. “But it is not the first time that an intruder has moved laterally throughout a network to have significant damage. We had Target, then we had OPM, and we had SingHealth; these things kept coming.”