Biden's Cybersecurity Executive Order: 4 Key TakeawaysWhite House Puts Focus on 'Zero Trust,' Software Standards, Information Sharing
By issuing a sweeping cybersecurity executive order on Wednesday, the Biden administration is attempting to take a critical step to address security issues that have come to light after recent cyberattacks.
The 30-page Executive Order on Improving the Nation’s Cybersecurity covers a host of cybersecurity issues. It describes how government agencies should evaluate the software they buy. It mandates that executive branch agencies deploy multifactor authentication, endpoint detection and response, and encryption. And it calls for these agencies to adopt "zero trust" architectures and more secure cloud services.
The goal, according to a senior administration official, is to modernize the government's IT infrastructure while creating a set of standards to help minimize the damage caused by cyberattacks, such as those that recently affected Colonial Pipeline Co., SolarWinds and its customers, and certain users of Microsoft Exchange.
"For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort and money," the senior administration official, who spoke on the condition of anonymity, told reporters. "And instead, we've accepted that we'll move from one incident response to the next. And we simply cannot let 'waiting for the next incident to happen' be the status quo under which we operate."
Security analysts and researchers who have started parsing through the executive order say the Biden administration has created a catalyst for improving cybersecurity.
"The order brings multiple levers of federal government authority to bear, including the most comprehensive proposed use of procurement power ever," says Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security.
"The timelines are very, very aggressive, and the details - what actually must be done - are to be filled in by agency action. That's appropriate, of course," says Reitinger, who is now president and CEO of the Global Cyber Alliance. "The directive to move to the cloud and do so securely is the most important step that the president could possibly order."
Here are four key takeaways from Biden's executive order:
'Zero Trust' Is a Priority
The executive order mandates that executive branch federal agencies create "zero trust" environments. The administration says this is key to ensuring security when implementing cloud computing environments and services and modernizing the IT infrastructure of the federal government.
The document notes that within 60 days, the agencies must update plans to prioritize the adoption and use of cloud technology as well as develop a plan to implement zero trust architecture.
John Kindervag, the former Forrester analyst who created the concept of zero trust, says he was pleased the executive order used a definition of zero trust that is close to his own when describing how to deploy the model (see: John Kindervag: Reflections on 'Zero Trust').
"What this does is incentivize federal agencies to adopt zero trust within their own on-premises technologies. It also creates a zero trust mindset in how they can approach their on-premises technologies and when they move to the cloud … and the incentives are clearly very important," says Kindervag, who is now senior vice president of cybersecurity strategy at ON2IT Cybersecurity. "The challenge is going to be in the section where it says the agency head needs to develop a plan. That's going to be a challenge for everybody because the first thing they need to do is determine what you need to protect - and that takes longer than 60 days."
Kindervag believes that as agencies begin to build a zero trust architecture, they should take incremental steps toward deploying the framework instead of trying to tackle everything in one large project.
Supply Chain Risks Must Be Addressed
The executive order also lays out extensive new guidelines for how federal agencies must evaluate software needed for their IT infrastructures - a clear nod to addressing supply chain issues, which were highlighted in the SolarWinds attack in which attackers used a Trojanized software update.
The order describes three key provisions:
- Agencies must implement baseline security standards for software, including requiring developers to maintain greater visibility into their applications and make security data available.
- Agencies must develop new requirements for making sure vendors address security as software is developed. The federal government will use its purchasing power to incentivize companies to follow these requirements.
- The government will create a pilot program for an "energy star" type of label signifying whether software follows the new security guidelines.
The senior administration official noted that Singapore created a similar rating system for the security of IoT devices. "The executive order directs the National Institute of Standards and Technology to develop a similar program and to work with the private sector and other agencies to find ways to encourage manufacturers to participate," the official said.
Commenting on the supply chain measures, Reitinger says: "I'd like to see incentives or requirements to take the measures developed under this section for the government and make them available as a package to the private sector, and be implemented in cybersecurity regulations already imposed by the government."
Cybersecurity Safety Review Board Will Be Created
The executive order calls for establishing a "Cyber Incident Review Board" modeled on the National Transportation Safety Board. The new body will investigate cybersecurity incidents and make recommendations for improving security.
The secretary of the Department of Homeland Security, along with the attorney general, will establish the board, which will include members from the departments of Defense and Justice, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI as well as representatives from private industry. One of the first topics the board will examine is the SolarWinds attack (see: Analysts Uncover More Servers Used in SolarWinds Attack).
Scott Shackelford, chair of Indiana University's cybersecurity program, has been advocating for the creation of such a board for years. He would like to see Congress create laws to establish the board's charter and make it more independent of the Department of Homeland Security.
"To make that effective, Congress needs to act to establish an independent agency tasked with investigating novel cyberattacks targeting U.S. critical infrastructure networks," Shackelford says. "The NTSB wasn't able to thrive until it was separated from the Department of Transportation in the 1960s. Something similar may be needed here with DHS."
Barriers to Sharing Threat Intelligence Must Be Removed
The Biden order also calls for removing some of the contractual barriers that hamper the sharing of threat intelligence between government agencies, such as the FBI and CISA, and companies, such as those that provide cloud services.
"Removing these contractual barriers and increasing the sharing of information about such threats, incidents and risks are necessary steps to accelerating incident deterrence, prevention and response efforts and to enabling more effective defense of agencies' systems and of information collected, processed and maintained by or for the federal government," according to the order.
But the order doesn't do enough to ensure that when data is shared, it's acted upon, says Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI's New York office.
"The government still has classification issues sharing actionable, real-time intelligence back to the private sector," says Berglas, who is now global head of professional services at cybersecurity firm BlueVoyant. "Supply chain risk has been front and center with SolarWinds and others. The issue is that smaller vendors in the supply chain don’t have the human or capital resources to properly protect themselves, and by nature of the chain, all the rest of us."