On May 12, President Biden issued Executive Order 14028 focused on improving the country’s cybersecurity stance. The order follows the recent cyber attack on one of the nation’s largest gas pipelines, Colonial Pipeline, in which Russian organized crime successfully inserted ransomware into pipeline controls. The attack effectively stopped 40% of the fuel supply and resulted in a $ 5 million ransom payment.
The order also comes months after one of the most catastrophic cyberattacks against America known as SolarWinds hacking. SolarWinds, a Texas-based IT company, provided software to the federal government, and during the development of the software itself, Russian intelligence agents inserted malicious code that cooperated with the system to disclose secret information. It is estimated that this single attack on the supply chain has affected more than 18,000 customers in addition to the federal government.
The executive order largely points to government policies and processes; however, there is at least one section aimed at civilian space; that is, the IoT and consumer products. In addition, companies that intend to do business with the federal government will have to comply or risk not being able to do business.
As a general statement, the operational parts of the order seek to (1) coordinate government efforts and reduce the compartmentalization of cyber risk and response to attacks within government, and, (2) will do so through widespread use of the Institute. National Science and Technology Security Framework (NIST).
In addition, the order requires the federal government to move quickly to cloud-hosted services and adopt a zero-confidence framework. “Zero trust” is included as a software system policy that no one is authorized to access or do anything about unless they are specifically authorized to do so, unlike system settings (policies) which assume that users can access to all and / or change the system unless it is not allowed. If there has ever been a question that cloud computing is more secure than automatically hosted, that question has already been answered.
Interestingly, the order requires the adoption of multifactor authentication and data encryption within 180 days. Those agencies that are unable to comply must submit a written report explaining the reasons why they are unable to comply.
According to federal government rules, changes will occur at an intense pace and the change function will begin in 60 or 90 days. The order is divided into 10 parts, which are briefly described below.
Section 1 of the order describes the current state of cybersecurity in the federal government. That is, cybersecurity and response are largely silenced between different agencies.
In response to section 1, section 2 focuses on requiring agencies to share threat information between government contractors by removing contractual prohibitions that make it difficult to share threat information.
Within 60 days, the Office of Management and Budget will provide recommendations on changes in government regulations for the purpose of “[r]removing … contractual barriers and increasing the exchange of information on these threats, incidents and risks are necessary steps to accelerate deterrence, incident prevention and response efforts and to enable more effective defense of agency systems and of the information collected, processed and maintained. by or for the federal government “.
Within 90 days, proposed changes to federal regulations will be posted for comment, and within 120 days, data exchange will begin. The order continues to require prompt notification of cyber incidents when they are discovered.
In addition, the order requires the development of common standardized contractual cybersecurity requirements for unclassified systems, including the review of the agency’s current specific requirements for standardization. That is, section 3 states:
The federal government must adopt best security practices; move towards Zero Trust Architecture; accelerate movement to protect cloud services, including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS); centralize and streamline access to cybersecurity data to drive analytics to identify and manage cybersecurity risks; and invest in both technology and personnel to meet these modernization goals.
In other words, the federal government has 60 days to update existing plans to migrate to cloud technology and implement “Zero Trust Architecture” according to the steps described by NIST for these systems. The order provides for longer periods of time to take other related steps that include a requirement for the development of a cloud services governance framework, as well as a description of the services available to federal agencies in the event of a cyber incident. .
Section 4 plans to improve software supply chain security, which is an obvious necessity given the recent SolarWinds hack. A bit not sequitur since it is not directly aimed at the federal government is the requirement of this section that requires the creation of pilot programs for consumer education on the safety of the Internet of Things (i.e., “ IoT ”), consumer labeling. of these devices and the like. This order provides for the case of the hijacker of the Internet-connected refrigerator that falls in the evenings to stop working at the most inopportune time. A single hacked refrigerator is a joke, but a powerful attack designed to knock down a thousand refrigerators in a local area is a realistic problem (i.e., a snack attack).
Section 5 provides for the establishment of a “Cyber Security Review Board” under the auspices of the Attorney General and the Secretary of Homeland Security. The Board has the task, in a general sense, of reviewing the current state of affairs and making recommendations to improve cybersecurity practices and incident response. The order provides more details.
Section 6, entitled “Standardizing the Federal Government’s Game Book to Respond to Cybersecurity Vulnerabilities and Incidents,” requires the Secretary of Homeland Security to develop a standard set of operating procedures (game book) that will be used in the planning and implementation of a cybersecurity vulnerability and response to incidents activity respecting the FCEB [federal civilian executive branch] information systems. ”Candidately, this is something that all organizations, not just government ones, should do as part of best practices.
While slightly different, section 7 improves the detection of vulnerabilities and incidents in federal government systems. Section 8 includes the investigation and remediation of these detected problems.
Section 9 refers to national security systems and basically maintains the national security requirements enacted above. Section 10 consists of definitions of this slang-laden cyber executive order.
So what does all this mean? It means the government is getting seriously safe. Which suggests that private entities should do the same.