On May 12, 2021, United States President, Joe Biden, signed Executive Order 14028 to address the increasing nature of cybersecurity attacks and the effect that they have on businesses, the economy and ultimately, our global way of life. Significantly, this EO came days after the nation learned of the Colonial Pipeline attack and its impact on the personal lives of millions, specifically those living on the East Coast. The EO’s purpose was to highlight specific, high-impact areas of cybersecurity need and to provide prescriptive guidance on how to improve or address these needs. While the impetus for the EO is focused on the protection of the Nation’s networks and critical infrastructure, the implications are much more significant. This blog focuses on the principal scope and intent of EO 14028.
The EO sought to address several areas:
- Rapid threat intelligence sharing
- Updated, stronger standards for cybersecurity across the Federal government
- Software supply chain security
- Establish a National Cyber Safety Review Board
- Standardized playbooks for incident response
- Improve investigation and remediation capabilities
Threat Intelligence Sharing & Improved Investigation/Remediation
Threat intelligence includes the details surrounding threats and attack tactics, techniques and procedures (TTP) of threat actors across the industry. There are sharing mechanisms in place today, but this element addresses the time to report a breach or suspected incident to the government by any vendor or contractor. The faster that accurate details are shared across the cyber community of either attacks or an incident, the faster a response can be addressed. This is simply about managing the attack surface (or exposed/potentially attackable assets) and ensuring the best possible security posture can be attained given available knowledge and resources. Threat Intelligence with context provides unique Cybersecurity Situational Awareness that enables teams to proactively take steps and protect or insulate. It’s also critically useful in threat hunting for potential dormant infections that may have slipped by past defenses initially. With increased insight and intelligence of a threat and its TTPs, teams can more effectively identify, isolate and clean up or remediate them. This also lends to more effective investigations into possible damage or loss or lingering impact that may not be immediately recognized or understood.
Software Supply Chain Security
Software (or the instruction code that drives practically any item in our world that plugs in or uses power) has grown so extensive and diverse that when new threats emerge and target a vulnerability, the extent is not known immediately. To address this at a national and critical infrastructure level, the EO calls for guidance to be provided by National Institute of Standards & Technology (NIST) for federal agencies that will drive behavior and require a level of transparency for any software from vendors who wish to sell to the government. The biggest area involves the transparency of components in software used, generally referred to as a Software Bill of Materials. In an ideal situation, this permits the tracking of code in use in environments that will be compared against known vulnerabilities (CVEs) and exploits to help prioritize activities and protect these environments.
NIST has issued preliminary guidance based on research that it and NTIA have conducted in support of improving the Security of the Software Supply chain. It’s anticipated that the requirement will go into effect sometime in 2022.
Standardized Incident Response Playbooks
In a crisis, ensuring that all members of the operations team know their role and what’s expected of them (and in what order) is crucial. It’s the difference between panicked indecision and effective mitigation or triage. Developing a robust plan for cyber incidents from notification through to action, including process and follow-through, is key and standardizing a model based on proven expert practices ensures collateral damage is limited and teams can act to control, contain or minimize an incident. These playbooks will help various agencies respond with purpose, leveraging the proven practices and acumen to engage with other peer agencies and ensure a response is executed in concert.
Accelerate Security Policy and Standards adoption
Finally, there is an across-the-board update to guidance and adoption policies for government entities leveraging effective, proven practices, such as multi-factor authentication (MFA), end-to-end encryption, adoption of Zero Trust architecture principles and the acceleration of secure cloud service migration. NIST has released several Zero Trust reference tools for various agencies to employ, including accelerated adoption of FedRAMP, prevalent MFA and encryption adoption, and Zero Trust adoption. For reference, Zero Trust is an approach whereby every user or asset in an environment must be known, permissively and explicitly managed, and where all data behaviors are observed if not directly controlled to ensure all activity in an environment is benign. The simplest description of Zero Trust is to trust nothing, continuously verify everything and investigate any anomalies.
A More Secure Future
With the increased dependence on reliable, trustworthy infrastructure and the technology that supports it, we must have effective tools and controls in place to ensure its availability and protect it from actors that wish to do it (and others) harm. One statement from the EO reflects this well, “The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences, we will incur if that trust is misplaced.”
The question that comes next is often whether an organization is or is not affected by the scope of the EO. Simply put, if a vendor sells software, hardware or services to a provider that then intends to provide to a federal agency, then such vendors could see flow downs from their customers – additional contract language requirements added as well as expectations that accompany any forward-looking business engagements. There are several elements within the EO intended to assist in the protection of the utilities and infrastructure that is owned and managed in the private sector, as well. These programs fall under the guidance and support of the respective governing agency (e.g., Department of Energy for electrical grid operators).
Although similar initiatives are underway in developed nations around the world, this EO is designed to protect the citizens of the United States today in recognition of the threat and potential disruption a devastating attack could have should services be interrupted for an extended period.
Watch our recent webinar Explained: Improving the Nation’s Cybersecurity on-demand to learn more.