US President Joe Biden has issued an executive order (EO) seeking to strengthen federal cybersecurity amid growing concerns about threats to national security from attacks like the one on Colonial Pipeline last week, which triggered a massive gas shortage across the southeast in recent days.
The EO spells out a series of measures for federal agencies aimed at, among other things, bolstering threat information sharing between the government and private sector, ensuring better software security, and standardizing federal incident response capabilities. The order only applies to federal agencies and federal contractors, but like many federal actions could end up having a broader ripple effect on private industry as well.
Biden pointed to “persistent and increasingly sophisticated malicious cyber campaigns” as the immediate driver for the executive action. Such campaigns pose a risk both to the public and the private sector and ultimately threaten the security and privacy of American people, he said in issuing the presidential directive.
“Incremental improvements will not give us the security we need,” Biden said. “Instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
The most noteworthy aspects about the EO, according to industry experts, are its requirements for baseline security standards for software sold to the federal government, the removal of barriers to threat information sharing, and the creation of a standard federal playbook for responding to cyber incidents.
On the software front, the directive requires developers to ensure their products meet certain minimum security standards to qualify for federal government procurement. Likely because of the concerns spawned by the SolarWinds attack, the EO makes special note of the security and integrity of software that runs with elevated system privileges on government networks.
The directive requires the US Secretary of Commerce to work with the director of the National Institute of Standards and Technology (NIST) to get input on guidelines for software security from federal agencies, private companies, academic institutions, and other entities. Within six months NIST will publish a set of preliminary guidelines and standards that developers supplying to the government will be required to meet.
The guidance will include standards and procedures that developers will need to use for securing software development environments, demonstrating conformance with the standards, maintaining trusted source code supply chains, checking for vulnerabilities, providing a software bill of materials, and other requirements. A pilot program will be set up within the next several months to establish the equivalent of the “energy star” rating for secure software.
“Strengthening cybersecurity requirements for federal software procurement will raise the bar for contractors and hopefully have ripple effects that boost cyber resiliency across the private sector,” says Harley Geiger, senior director of public policy at Rapid7.
The big question, though, is whether the government can move fast enough to provide perspective guidance for the software industry on an ongoing basis, says Kevin Bocek, vice president of security strategy and threat intel at Venafi.
“Software development is changing too quickly, and the rate of change is accelerating as more companies move to the cloud,” he says.
The EO also does little to address the security of machine identities such as digital certificates and keys, which are critical for secure code development — and were, in fact, a big factor in the SolarWinds attacks, Bocek says.
Biden’s EO is similarly prescriptive with threat intelligence sharing between federal agencies and the private sector. The EO highlights the critical role that contractors play in providing and supporting federal IT and OT systems. When a security incident impacts such contractors, current federal contract language and terms often can restrict them from sharing specifics of the incident with others, the order notes.
The EO removes those contract restrictions. Within the next 60 days, new guidance will become available requiring federal contractors and service providers to collect and preserve data pertaining to any security incident that impacts them. Contractors will be required to share breach information that could impact government networks to not just their own government customers, but with any agency that the Office of Management and Budget (OMB), Department of Homeland Security (DHS), National Security Agency (NSA), and other federal agencies deem appropriate.
A Different Approach
Mike Hamilton, CISO of CI Security, says the new EO is different from previous ones that have focused on how the federal government needs to share classified data with the private sector.
“This EO reverses that and makes it a requirement for service providers that contract with federal agencies to monitor networks, collect logs, and make them available in the context of investigations,” he says.
Interestingly, the federal stakeholders that will develop the standards – including the types of investigation requests that would be in scope – include the Department of Defense (DoD) and NSA, he says.
“The NSA does not have the authority to monitor [or] surveil domestically, yet they have a seat at the table to design the process of doing just that,” Hamilton says.
Another aspect of the threat intelligence-sharing requirement that bears close watching is the whole issue around who exactly will be considered a service provider under the purview of the EO.
“If that’s a company doing federal IT management, that’s one thing,” Hamilton says. “If AT&T and Verizon are in scope, that becomes a much different conversation.”
Geiger says the EO’s requirements for creating a standardized process for cyber incident response across the federal government is another highlight.
The goal of the requirements is to ensure that federal agencies take uniform steps and measures to detect and respond to cyber incidents. The playbook will include standards developed by NIST for incident response, as well as guidance on the topic and how to use the playbook from several other sources, including OMB, DoD’s Cybersecurity and Infrastructure Security Agency (CISA), and NSA.
“The modernization of federal agency cybersecurity, and the standardization of agency incident response, are overdue and needed to address the risks government agencies face,” Geiger says.
Some other notable requirements in the executive order include those related to the implementation of zero-trust networks, endpoint detection and response technologies, and the adoption of cloud services.
Matt Glenn, vice president of product management at Illumio, a company that contributed to the language around the zero-trust requirements, says the requirements were largely inspired by recent attacks like the one at SolarWinds and those exploiting Microsoft Exchange vulnerabilities.
“Federal agencies need to implement a zero-trust architecture and enable segmentation in order to prevent a small security incident from escalating to a catastrophe,” he says.
Most federal agencies have already begun implementing zero-trust architectures, but the focus has been the endpoint and not data centers and the cloud, which is where these efforts really need to begin, Glenn says.
NIST has a zero-trust architecture framework (NIST SP 800-207), which is a good place for federal agencies to start, he says.
Two criticisms with the EO are that it is too prescriptive and doesn’t assign any responsibility on the government itself.
Jyoti Bansal, CEO of Traceable/Harness, points to the requirements around how developers should build, test, deploy, and run software as an example of the overly prescriptive nature of some of the requirements.
“Given the urgency of the challenge at hand, a better approach would have been to issue guidelines and partner wider with industry experts on an ongoing basis,” Bansal says. The goal should have been “to define the frameworks and methodologies to address these security challenges. It’s certainly a start, but the wider industry needs to hold itself accountable.”
CI Security’s Hamilton says the EO should also have included language around what the government itself will do in certain situations. As an example, he points to the FBI’s use of what were essentially hacking tools to “fix” vulnerable instances of Microsoft Exchange after a Chinese group called Hafnium was observed exploiting the flaws on multiple networks.
“Methods like this are in a very gray area, and I would have liked to see some language around what the DoJ can do going forward with clear authority to do so,” Hamilton says.