U.S. President Joe Biden has signed an executive order (EO) to improve the cybersecurity of the U.S. As the U.S. faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately people’s security and privacy, the EO seeks to improve efforts to identify, deter, protect against, detect, and respond to these actions and actors.
Specifically, the EO will:
1. Remove Barriers to Threat Information Sharing Between Government and the Private Sector. The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.
2. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.
3. Improve Software Supply Chain Security. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market. Finally, it creates a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely. Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.
4. Establish a Cybersecurity Safety Review Board. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.
5. Create a Standard Playbook for Responding to Cyber Incidents. The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
6. Improve Detection of Cybersecurity Incidents on Federal Government Networks. The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential.
7. Improve Investigative and Remediation Capabilities. The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem.
Curious about what industry experts are saying about this executive order? Keep reading below to find out:
Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:
President Biden’s executive order is a good start. We’re better off for it. Mandating endpoint detection and response as a new government-wide focus is particularly important yet we can’t forget about threat detection and response for cloud, data center and IoT. Too many agencies still rely on obsolete prevention strategies. That said, cybersecurity must remain a bipartisan legislative priority. Executive orders can only accomplish so much, and as the Colonial Pipeline case just proved, we’re in a security emergency that demands more.
Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions:
Several of the directives have been in discussion for a long time and many of us are glad to finally see it appear in the Executive Order. For example, the inclusion of a Software Bill of Materials (SBOM) requirement and a Cyber Safety Review Board are significant steps forward. For SBOMs, this is as momentous as when ingredient labels were added to food products that we buy. We've needed an equivalent for the IT products that we buy and the SBOM is a big step towards that.
Stephen Banda, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:
The executive order is a major step in the right direction for strengthening US cyber defenses primarily because it removes barriers to collaboration around cyberthreats, which is essential for effective cyber response. The executive order makes a Zero Trust Architecture central to the Federal Government’s approach to cybersecurity. This is a crucial step. It’s encouraging to see cloud security, Endpoint Detection and Response and active threat hunting on government networks as important components of the executive order. The executive order requires IT service providers to tell the government about cybersecurity breaches that could impact U.S. networks, and removes certain contractual barriers that might stop providers from flagging breaches. By encouraging this level of collaboration among service providers, government agencies, and the private sector, organizations will be able to respond faster to mitigate the risk of cybersecurity breaches against the U.S. Additionally, by requiring a standardized playbook and set of definitions for federal responses to cyber incidents, the executive order will ensure that government agencies are aligned in how they respond to incidents. This will help reduce operational gaps that could introduce cyber risk and will allow security operations to scale across agencies.
The executive order is also pushing to improve the security of software sold to the government, including by making developers share certain security data publicly. The government is using its buying power to demand improved software security standards by the private sector. In nine months, the federal government will only buy from companies that have met these newly developed software security standards. At Lookout, we take software security and operational security standards seriously and believe that every organization should take steps to obtain FedRAMP JAB P-ATO certification. We have and are proud of it.
David McNeely, chief technology officer, ThycoticCentrify:
One of the primary lessons learned from the SolarWinds attack is that even the most secure organizations can fall victim to sophisticated cybercriminals. No one security solution or vendor can prevent well-funded and organized nation-state attacks, and it takes multiple layers covering different domains and a combination of predictive, preventive and detection-focused controls to protect an organization or government agency.
This executive order (EO) is a positive, as it seems to expand on the standard for organizations supplying technology to the federal government that the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have been driving. It appears that, through the new EO, those vendors will now be required to protect ‘controlled unclassified information” in their nonfederal systems as defined in NIST 800-171. We see this as a clear way to expand the security controls defined by NIST, and even the already-stringent FedRAMP authorization, as a best practice guidance for all government agency suppliers.
Plus, it marks a positive step in transparency between technology vendors and government organizations. The security community is stronger together, and information sharing on vulnerabilities, breaches, new nation-state threat groups and more will benefit the industry as a whole while simultaneously protecting federal entities.
Amit Yoran, CEO of Tenable and founding director of US-CERT in the U.S. Department of Homeland Security:
"The attack on Colonial Pipeline underscores just how critical the new cyber executive order (EO) is to our national security. The question on everyone’s mind is whether the EO will stop the next SolarWinds or Colonial Pipeline attack. Make no mistake — no one policy, government initiative or technology can do that. But this is a great start.
This is one of the most detailed and deadline-driven EOs I’ve seen from any administration. In the wake of a seismic attack, like SolarWinds, this is incredibly encouraging to see.
Within the next year, all software vendors for the federal government must have an established software development lifecycle. This speaks directly to the gaping supply chain security issues that SolarWinds brought to attention — one broken chain link can bring down the entire fence. While these practices won’t prevent all supply chain breaches, it’s an important step forward.
Part of the new guidelines includes breach notification requirements for software suppliers. This forces much-needed transparency and accountability across the private sector which have been avoided for too long. This should be a welcomed change by all — technology vendors, government agencies and end-users.
However, the next and arguably most important step is implementation. While we’re encouraged to see cybersecurity play a prominent role in President Biden’s policy initiatives, we must now focus our attention on making this executive order actionable.
James Hayes, VP of Global Government Affairs, Tenable:
President Biden released a detailed cybersecurity executive order (EO) that is a welcomed example of the administration’s focus on improving the nation’s cybersecurity posture in the wake of the SolarWinds and Colonial Pipeline attacks. As more and more organizations look to zero-trust security as the way forward, this EO takes a bold step forward in making sure the days of bolting security onto critical systems as an afterthought is upended.
This detailed EO will require federal agencies and their private sector partners to share information and double down on the cybersecurity basics to successfully drive a zero-trust framework throughout the federal enterprise. The past year exposed significant vulnerabilities within our digital infrastructure. We are still learning the full scope and scale of these cyberattacks, and it’s becoming clear that, in order to prevent something like this from happening again, the federal government and the private sector must partner together to implement smart cyber policies and best practices.
It is encouraging to see the Biden administration elevate cybersecurity policy and aggressively drive implementation early in its tenure, and today’s EO is a much-needed step in the right direction. However, there is still more we must do.
Ralph Pisani, president, Exabeam:
With the SolarWinds cyber assault estimated to have started in October 2019 and impacting several global companies like Microsoft and FireEye, there must be a reckoning in the cybersecurity industry – and the sooner, the better.
If we have plenty of security solutions, innovations and tools available, why are we allowing breaches of this scope and magnitude to continue? To me, the answer is simple: the problem is not only the lack of knowledge about technology, it’s also about the lack of refined processes needed to find a breach. Rather than focusing on a product, teams must shift the fundamental, organizational priorities for securing the enterprise to be more process-focused.
As an industry, we must help organizations evolve with the changing threat landscape and adapt to create greater operational efficiency. For instance, most available detection solutions are focused on known threat response, when they should really be focused on identifying behavioral signs of network infiltration. We must also embrace the idea that identity is the new perimeter. Of course, having visibility into the credential usage at The Department of Treasury would not have prevented the SolarWinds attack, but it would have identified and contained it more rapidly. Last but not least, we’ve seen the enemy run the same game over and over, so the defense starts with: detection, triage, investigation, and response. While there’s increasing focus on addressing the two ends of detection and response, most companies struggle or overlook the middle pieces without realizing the smokescreen this provides for attackers.
That tells me that there is a psychological metamorphosis needed in security. This executive order could serve as a positive push in that direction. With this extra layer of accountability for vendors with government customers, SOC teams will be motivated to shift their focus away from the idea that machines will draw conclusions for them and take those extra process steps to protect their own enterprise and their customers.
Neil Jones, cybersecurity evangelist, Egnyte:
Cybersecurity supply chain attacks, like the SolarWinds hack, are stark reminders that we need to modernize our collective approach to cybersecurity. The attacks are now designed to target specific, higher-profile organizations in the public and private sectors. Whether driven by nation-states or cybercriminals, the primary objective of the attacks remains the same: to obtain users’ sensitive data. With data in hand, attackers can exploit it for espionage purposes, competitive advantage, and/or for monetary gain, as we have experienced with many recent hacks.
If we hope to protect our critical infrastructure and government entities, requirements need to be stronger, with more stringent certifications required to work on federal contracts. In addition, there should be a stronger emphasis on adopting a data-centric security strategy that properly secures and governs sensitive information (especially for supply chain relationships), which currently represents the soft underbelly for cyberthreats. Finally, we can anticipate that successful techniques attackers employ on larger organizations will be adapted for use on smaller organizations, which generally have smaller security teams and less advanced security protocols.
Alex Pezold, CEO of TokenEx:
Today, many organizations use a combination of vendors and technologies to assist with their digital operations, causing a need for transparency and responsible information-sharing to ensure that intrusions and other malicious activities are promptly identified and addressed. Regardless of whether such transparency is required by law, we believe it is a best practice for privacy and security.
Jeff Hudson, CEO of Venafi:
The new executive order is a swing and a miss from the government. Prescriptive regulations for the software industry simply will not work -- the federal government cannot move quickly enough to effectively regulate how software is built.
Look at machine identities, for example. The SolarWinds attackers’ operation relied upon machine identities: X.509 certificates to stay unnoticed and OAuth App certificates to obtain access to cloud networks. And just last month, Gartner listed machine identity management as a top security concern for 2021. Despite all of this, the executive order completely overlooks the risk that machine to machine communication poses to our entire nation’s security infrastructure.
The only way the government can help protect individuals and companies from becoming victims of insecure software build processes is by incentivizing the software industry to build better. There needs to be strict financial repercussions for any company that fails to do so. This order, as it stands, will slow down software companies and give attackers the opportunity to innovate faster.
It's great to see the administration taking improvement of cybersecurity standards seriously. The gravity and widespread nature of the SolarWinds attack clearly demonstrates that the impact of nation-state cyberattacks has reached a new level of risk. There is so much software development behind how government agencies operate and interact with citizens these days. Like the SolarWinds attacks showed, that software code and all the third-party suppliers in the software supply chain are the next key vector of attack and will continue to be.
But prescriptive regulation alone is insufficient. We need industry leaders to adopt secure development practices and make security an unambiguous priority at all levels. Accountability is another part of the answer — the cost of security breaches should be sufficient to motivate vendors and IT professionals to make changes to proactively detect and prevent more vulnerabilities. The industry as a whole needs to shift security left — ensuring that security is implemented in the software development life cycle instead of waiting to add in security after products are deployed into production. Enforcing tighter software security standards is a must have for our government agencies and industry to remain safe from malicious foreign attacks.
Ariel Tseitlin, Partner, Scale Venture Partners:
This executive order is announcing something that the industry has been asking the government to do for many years, so this is a welcomed action. Supply chain risk, or third-party vendor risk, will undoubtedly start getting more attention, though that has already started happening after the SolarWinds breach - recent data suggests that half of security professionals are already increasing budgets to address SolarWinds. While this order imposes some additional reporting requirements, nothing appears much more onerous than what CCPA and CPRA already mandate.
Brian Fox, CTO of Sonatype:
You can’t protect what you can’t see. And too many organizations don’t have a full picture of what’s inside their software. Most aren’t even looking. At the same time, breaches tied to open source software components used in applications impact 1 in 5 organizations annually.
While some companies are self-regulating their cybersecurity hygiene, in our software driven world it’s just not enough; daily breach headlines indicate that government regulations might be a necessary motivator for widespread action, which is why we’re eager to see President Biden’s support of several initiatives, including requiring a software bill of materials (SBOM). This move, in part as a government response to the SolarWinds breach, would finally bring software the accountability that standard BOMs do to other products we use everyday.
A basic tenet of any security program is to understand the risks present in your systems and applications, then prioritize risk mitigation steps. For software risks, this requires organizations to have full visibility to all of the code in an application. An SBOM is the ONLY way to do this. Like an ingredient label for your software, an SBOM takes inventory of what is actually ending up in your application and provides a standard list of open source software components that make up 90% of a modern application today. However, it is not enough to simply post or publish an SBOM -- it must be a living, breathing part of the development lifecycle with standards that make it actionable and allows for easy sharing between systems, customers, partners, and regulators.
Today, fewer than 50% of companies produce SBOMs as a standard practice in software development. The result of not having an SBOM means that companies are blind to known vulnerable open source components being shipped in their software applications and to any future discoveries of new vulnerabilities in those same components. Over 10% of open source components used in applications today are known vulnerable, leaving the organization using those applications more susceptible to successful attacks. Further, without an SBOM, the process of tracking and tracing new vulnerabilities when they are announced is like conducting a scavenger hunt across hundreds or thousands of applications in an organization’s environment. With 10,000+ vulnerabilities announced annually, this is a daunting task for security teams.
Information sharing within the cybersecurity community has long been decried as something there needs to be more of. That said, it must be approached with the proper guardrails in place to ensure the protection of those sharing the information. As industries that have struggled with standardizing and information sharing begin this journey, look to sectors that have successfully done it for decades. Specifically, the financial services sector. By extending the guidelines seen in financial services, the disincentives for information sharing are reduced.
As the government looks to increase the communication between public and private sectors, they must work to ensure that it is a two way street. The EO does acknowledge this need, however, historically private sector CISOs have felt that the information sharing ends up as a one-sided relationship. I was heartened to see the urgency of the Order as well. I think the biggest challenge will be balancing the urgency with making sure that the two way line of communication gets opened up.
The balance between the data and human problems in cyber is something we look at early and often. As a step to enhancing the posture of organizations both public and private, the government needs to be contributing data sets such that risk management can be enhanced and performed with greater precision and knowledge. By pooling risk data across sectors, security leaders can get a more complete picture which is what is severely lacking across both organizations and industries.
This executive order is a strong step toward enhancing public-private partnerships within critical infrastructure cybersecurity. The callout to the NIST Cybersecurity Framework, one of the most significant public/private sector collaborations to date, was very heartening to see and certainly serves as a model going forward.
By widening the FAR to require cyber hygiene standards across all agencies, we can begin to set some baselines. Furthermore, by learning from and integrating on the DFARS and CMMC rollout within the DIB, we may begin to see the expansion of CMMC to other sectors. The critical step, though, is getting teeth behind the regulation while also making stronger cyber practices accessible. With the added language in the Order around software acquisition contracts and discussion of digital transformation of government infrastructure, it will be good to see the data collected as a result of those efforts shared with the private sector efficiently.
Joseph Cortese, CEH, Director Research & Development at A-LIGN:
Although the intent of this executive order is admirable, it’s quite a laundry list. Implementing everything listed will take a very long time – especially at the pace the federal government moves. But here’s what really compounds the issue: yes, every step in this executive order will serve to harden the systems in question, and each of these additional frameworks will move us in a more secure direction. But it is impossible to tell if the problems we’ve been experiencing are the result of fundamentally broken systems or a failure to adopt technologies and frameworks that would have otherwise provided adequate security. Viewed through that lens, if we pile on more technology requirements that do not get adopted down the supply chain, we are no better off.
That said, there is a lot of strength in what the EO promotes. The aspect of this executive order that will have the most significant impact is the implementation of zero-trust architecture. When you look across all the controls that we use to secure technology, embodied in an ever-growing list of NIST Special Publications, it’s getting overwhelming. Zero-Trust can restructure our approach and deliver a fundamentally more secure architecture across the board.
The executive order also has its failings. One area that needs further consideration is the private sector and how they share threat information. Setting this standard will take a great deal of time and result in new bottlenecks within the private companies that conduct the threat intelligence, now subject to new requirements for feeding this information to government systems. As someone who has worked in global threat intelligence, and for various agencies, the amount of information and volume of data may not be fully understood and could severely complicate the ability to execute much of this EO.
The majority of cybersecurity hacks occur due to blatant disregard for security, such as lack of two-factor authentication, egregiously simple passwords, easy-to-access software repositories, and lack of brute-force protection. What’s so upsetting to me as a cybersecurity specialist is how many of these threats can be mitigated within the private sector by increasing security awareness within organizations and by bringing attention to existing policies and procedures. It may be that greater cybersecurity awareness is the most powerful weapon we could have when it comes to the private sector.
Mike Fleck - Senior Director, Sales Engineering, Cyren:
Yes, it will make a difference. Good security requires a culture of security, and culture is set at the top. This EO signals to government agencies and the tech industry that serves them that they need to prioritize security (if they aren’t already doing so). Some of the requirements have been in place for years. Most government agencies have required encryption for classified information and other sensitive data like Personally Identifiable Information (PII). There are already breach notification requirements like the ones in the HIPAA/HITECH regulation that require affected organizations to share information with their federal government regulators. The focus on the software supply chain is smart. We know that supply chains are and have been a common attack target.
Specifically, security standards for the software supply chain will have the largest impact. The government has been aspiring to use more Commercial Off-the-Shelf (COTS) software rather than custom-built solutions. However, it will be difficult to realize the full potential of this EO without some kind of enforcement. This EO could be similar to the process the government recently used to enforce proper security of sensitive government data stored on non-government systems. First, they published security standards (NIST 800-171) and required the defense industrial base to adhere to them. A few years later they implemented the Cybersecurity Maturity Model Certification to enforce compliance.
Enforcement, but that will probably come in time. Also, the devil is in the implementation details. We know the government has a lot of outdated systems that can’t easily be updated to comply with modern security standards. The EO will need to include guidance for how to handle these legacy systems. We also know that government processes are far from agile. We can’t take 3 years to secure against the threats of the day. How will this EO incent organizations to move faster? High growth companies have long-since adopted the mantra of “fail fast.” For very good reasons, the government has resisted that approach – people can die when the government fails (either quick or slowly). Finally, we can improve the security of software development processes but software will never be 100% secure. Many, many of the large breaches have been caused by a failure to install security updates. We need to acknowledge both the manufacturer and the purchaser of the software bear responsibility to secure it.
Yes, the Software Supply Chain Security aspect should have deep reach into the private sector. The federal government has the largest IT budget in the United States so anyone selling software to government agencies should have to comply with the relevant aspects of this EO. Again, it will come down to enforcement so “should” becomes a “must.” Security requirements without enforcement are just security recommendations.
Marjorie Dickman, Chief Government Affairs and Public Policy Officer at BlackBerry:
President’s Biden’s Executive Order was much anticipated, even before the Colonial Pipeline attack, and it didn’t disappoint in terms of being a significant step in securing America from future cyber exploits. The software bill of materials (SBOM) provision is critically important, and long overdue, in securing our nation’s software supply chain – allowing purchasers, including the federal government, to manage risk and uncover vulnerabilities that malicious hackers are targeting. The next hurdle will be how quickly the Administration and Congress can work together to implement these EO provisions and piece together additional key parts needed to secure America from cyber threats, including right sizing federal funding for cybersecurity investment in America’s woefully outdated digital infrastructure.