US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data, stating there is a need for bold decisions and significant investments to protect vital institutions from modern cyber threats.
Through the Executive Order, published by the White House this Wednesday, President Biden said the prevention, detection, assessment, and remediation of cyber incidents has become a top priority for the administration and is essential to national and economic security. The administration will thus dedicate its full resources to protect its computer systems, be it cloud-based or on-premise or be it IT or OT platforms.
He also called upon the private sector to “adapt to the continuously changing threat environment” and make their IT systems and devices more secure and resilient to cyber attacks. “Incremental improvements will not give us the security we need,” he said.
The Executive Order comes on the heels of a highly disruptive ransomware attack shutting down operations at Colonial Pipeline: a critical infrastructure organisation that delivers 45% of all fuel requirements in the US East Coast. Colonial is the country’s largest pipeline company, delivering various grades of gasoline, diesel fuel, home heating oil, jet fuel, and fuels for the U.S. military. The company had no choice but to pay $5 million to restore operations as soon as it could.
In recent months, US government organisations, intelligence agencies, and thousands of private corporations also suffered network infiltration as a result of hackers exploiting vulnerabilities in widely-used software such as SolarWinds Orion IT monitoring platform and Microsoft Exchange servers.
For instance, a trojanised software update to the SolarWinds Orion platform was downloaded by about 18,000 private and government organisations, giving Russian hackers the opportunity to infiltrate IT systems and exfiltrate vast amounts of data.
Federal government officials told The New York Times that the hacking operation breached the Department of Homeland Security, the State Department, and parts of the Pentagon, aside from the U.S. Treasury and the U.S. Commerce Departments which were reported to be affected as per The Washington Post.
In his Executive Order, President Biden has emphasized removing barriers to the sharing of threat intelligence information between government and private agencies, including dedicated cyber security firms that conduct a deep analysis of major cyber security incidents. Unimpeded intelligence sharing, he says, will accelerate incident deterrence, prevention, and response efforts and enable more effective defense of agencies’ systems and stored data.
As far as securing Federal government systems and data is concerned, Biden said the government will modernise its approach to cyber security by embracing Zero Trust Architecture and accelerating the shift towards secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
In order to prevent future software supply chain attacks, the Executive Order has called for enhancing the security and integrity of “critical software” that perform functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources). New standards and best practices will be adopted by federal agencies to evaluate software security, evaluate the security practices of developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.
President Biden has also entrusted the Secretary of Homeland Security with establishing the Cyber Safety Review Board, the role of which would be to review and assess significant cyber incidents affecting federal and non-federal IT systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
Federal agencies will also be required to put in place a standard cybersecurity vulnerability and incident response procedure to identify, remediate, and recover from vulnerabilities and incidents in the future. A standardised response process will ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
An Endpoint Detection and Response (EDR) initiative will also be deployed by FCEB agencies to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response. Federal government organisations will also be required to maintain information from network and system logs as these are invaluable for both investigation and remediation purposes in the aftermath of a cyber attack.
“With this Executive Order, President Biden is establishing a high bar for what a modern cybersecurity practice should look like – rather like how the European GDPR has become the gold standard for data privacy,” says Tim Mackey, principal security strategist at the Synopsys CyRC. “As with prominent data breaches being a driving force behind current privacy regulations, ongoing cyberattacks of various forms, like SolarWinds and Colonial Pipeline, have demonstrated a need for a new approach when defending against attacks.”
As per Mackey, the Executive Order can be summarized as – know all the software you’re running and where it originated, ensure you’ve an understanding of the risks associated with running that software and can quantify those risks, and then deploy the software using a model based on granting minimal access. Without a comprehensive inventory of all software independent of origin, it’s impossible to mitigate threats against the software powering a business, or a government.
Adam Isles, Principal of The Chertoff Group, says that technology suppliers need to start preparing now by reviewing existing practices around code provenance, use of secure software frameworks and threat modeling to safeguard both software itself and the surrounding development and production environments, as well as incident response and crisis management practices.
“Buyers can take action now by planning for how to internalize resulting guidance into contracts and SLAs, as well as using new data sets like software bills of materials. They also need to consider zero trust approaches to defending their own environments from continuing supply chain risks,” he adds.