On May 12, 2021, President Biden issued an Executive Order focused on improving the nation’s cybersecurity. This executive order strives to accomplish several important objectives for the United States’ approach to safeguarding its data and systems.
- Create a Zero Trust environment
- Manage the supply chain and its vulnerabilities
- Minimize barriers to intelligence sharing
- Create a Safety Review Board
- Create a standardized playbook for Incident Response
The key outcomes for US cybersecurity procedures from this executive order include:
- Developing a Zero Trust environment. This insight can apply to any organization, regardless of industry or size. Incorporating just this one element will lead to the most effective tightening of security globally.
A Zero Trust environment refers to an environment that has no implicit trust boundaries. The benefit of this approach is that it ensures we only allow authenticated and authorized people to access our applications and systems. This can look very different depending on the application, but inherently in this type of environment, no one or no system is implicitly trusted, and authentication and access rights must be verified at each access step.
This component will ensure all access to systems run or used by the federal government involves Multi-Factor Authentication.
- Enhancing Supply Chain Security. This includes creating a way to track the deployment and provenance within the software lifecycle. It will likely involve lots of new reporting and compliance related to making the software supply chain less vulnerable. This type of approach serves as an example of a system that can prevent large-scale cyber-attacks, such the SolarWinds hack from late last year.
Much of this new infrastructure will make it harder for smaller players because of the cost of keeping up the various mandates. As the industry goes forward, we should consider how this may create barriers to entry for small software developers. Do we want to limit the availability of small software developers? How can the cost and complexity be minimized? Consideration for this needs to be a discussion topic as we advance.
- Improving Coordination and Sharing of Threat Information. The EO gives direction to improve the coordination and sharing of cyber threats between federal law enforcement, federal government agencies, IT contractors, cloud service providers, and industry. To make this happen, contract language will likely have to be renewed.
While increased communication helps bolster cybersecurity, it comes with additional risks to mitigate. When sharing more information between intelligence agencies, law enforcement agencies, and corporations, the privacy rights of individuals and corporate intellectual property rights must be assured.
- Create a Safety Review Board. The EO creates a Safety Review Board, which is positive because it codifies an automatic review and “lessons learned” session. Performing lessons learned sessions is a crucial way to improve future outcomes. Bringing together Homeland Security and the Attorney General will create an environment where we can more easily bring the perpetrators of any act of cyber-attack to justice. However, the US needs to be careful to avoid this board overreaching – especially when it comes to citizens – and ensure civil liberties are protected.
- Standardize the Playbook for Vulnerabilities and Incidents. Having a go-to playbook is critical in the event of an incident or a breach. The unfortunate reality is that most cybersecurity branches of organizations are run worse than your child’s hockey team. Your child’s team has a playbook, they practice, and they play the game after practice. Most cybersecurity plans are sitting on a shelf somewhere in a binder, and are never tested or practiced.
Having one playbook for the entire federal government is like the whole NFL having the same playbook – or maybe more like the NFL and all college football teams using the same playbook. The Agriculture Department plays in a far different environment from that of Departments of Energy or Defense.
Having a playbook and actively putting it into practice much more critical than having conformity across organizations.
So, what does this executive order mean for your organization? For most companies – unless they are doing business with the government – little will directly affect us.
However, there are five main takeaways from this initiative that every company can and should implement:
1) Create a Zero Trust environment.
- Segment your business applications to minimize exposure to hostile actors.
- Use a robust authentication system to ensure whom you are allowing into your network is who they say they are.
2) Manage software and operating system patching process.
- Use automated tools and scheduled update times to do updates.
- Follow the guidelines of the Software Developer to ensure that bugs are fixed in your environment ASAP.
3) Create an open environment that will allow for free and rapid sharing of information.
- Make it easy to report potential and actual threats to those who can mitigate these concerns.
- Encourage the team to report or request assistance for any questionable emails, computer activity, etc.
4) Do an after-action review on all incidents.
- Record what went right.
- Make sure you add to the playbook unforeseen developments.
5) Create a playbook – an incident response plan.
- Make it second nature for your team to take action when an issue arises.
- Create a broad outline of how you want an issue handled.
- Ensure you have all the contact points for the important people/organizations in the front of the book.
Overall, the President’s executive order provides a good overview of how to make our nation’s critical information systems more secure with a lot of guidance and timelines. It also helps the government lead by example to illustrate what an enterprise can do to make itself more secure and enable a faster and more standardized response to cyber threats.
About the Author
James is a solutions-driven, results-focused technologist and entrepreneur with experience securing, designing, building, deploying, and maintaining large-scale, mission-critical applications and networks. Over the last 15 years, he has lead teams through multiple FedRAMP, NIST, ISO, PCI, and HITRUST compliance audits. As a consultant, he has helped numerous companies formulate their strategy for compliance and infrastructure scalability. His previous leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations, Founder & Principal Consultant, Vice President and CEO at GE, Epoch Internet, NETtel, Cable and Wireless, SecureNet, and Transaction Network Services.