The Biden administration issued a big, eye-catching cybersecurity executive order late last Wednesday outlining a plan to “to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” The order covers a wide range of topics, all intended to move the US government into the 21st century with modern security and operational practices aimed at accelerating migration to cloud infrastructure, adoption of zero trust and implementation of multi-factor authentication (MFA) technology.
We are excited to see this as a major first step at setting forth standards for not only government agencies but those that will be under close scrutiny such as the utility industry. Specifically we’ll talk more about the items in the order that relate to accelerating migration to Cloud Security as well as highlight some of the other notable items called out in the order.
As we have seen recently with the Solar Winds hack and the Colonial Pipeline ransomware event, these broad standards are needed across the board for much of the federal government and for vital, vulnerable sectors of industry and infrastructure.
How is the Order Laid Out?
The executive order is broken down into 9 sections, each covering a key area of improvements in cybersecurity operations. The first section sets the tone: the policy of the administration is “that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
The 9 sections cover the following:
- Overall policy of the government
- Sharing threat information
- Zero Trust Architecture and cloud usage
- Declares 2021 Year of the #SBOM
- Establishes a Cyber Safety Review Board
- Seeks to standardize incident response (IR) practices across all agencies
- Specifies a centralized SOC, Endpoint Detection & Response, and threat hunting
- Improving logging for investigations and remediation
- Ensures that systems operating in the sphere of national security meet or exceed the standards outlined
The order will apply to over 100 agencies that are under the purview of the Cybersecurity and Infrastructure Security Agency (CISA) and includes a number of deadlines ranging from 14 days to 360 days from the issuance of the order. All in all, the executive order speaks generally in broad strokes but ones that have been needed for quite some time.
The sections cover major initiatives and for some the broadness of them may upset those pushing for faster turnaround times in response to the string of high profile breaches like some of those mentioned earlier. For many of these directives though, the measures called for would be difficult to implement, even for much smaller organizations, given the timelines put forth.
Let’s dive into some of the highlights:
Migration to the Cloud:
What Does it Say About Zero Trust Architecture and Cloud Data Security?
As it relates to Cloud Security, Section 3 is by far the most important and exciting to us:
The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
The heavy lifting for this section has already been performed by NIST and their publication of Special Publication (SP) 800-207, Zero Trust Architecture. But as the paper points out, progress has been modest: despite the roots of Zero Trust being pushed as a concept since before 2004, and despite leaders spending over a decade urging agencies to move to the architecture, few agencies have implemented it.
At Cyral, we support these building blocks and built our company to help solve one of the biggest problems here which is specifically on cloud data security and governance. Our focus from the beginning has been on enabling Zero Trust Architecture to secure and protect the data cloud. We wholeheartedly believe that Zero Trust Architecture for SaaS, IaaS, and PaaS, coupled with Security as Code (SaC), is the way forward.
The key directives of this section then go on to mandate that each of the agencies must provide reports on how they are meeting key objectives including:
- Migration to cloud services
- Uniform cloud standards and architecture
- How those plans relate to the implementation of Zero Trust Architecture
- Data classification
- Requiring agencies to adopt MFA and encryption for data at rest and in transit within 180 days
We are incredibly excited to see all of these laid out as objectives and key results and look forward to seeing progress on these important goals. And personally, as someone that has lead, managed and implemented such projects before, each of these by themselves can be a massive undertaking depending on resources available and their starting point. A number of these directives can be complementary and the language at times does focus more on assessment of the situation than implementation yet, I still expect that this will be a hectic time for those on the ground.
Other Important Sections from the Executive Order
Beyond the key focus on cloud security and zero trust, there are several other sections that are of great interest that we’d like to highlight including:
2021: Year of the SBOM
Software Bill of Materials (SBOM) has been bubbling around for awhile, and this is the year that it finally seems to be going mainstream thanks to the work of people like Allan Friedman at the National Telecommunications and Information Administration (NTIA). Allan spoke at BSidesSF in 2020 about SBOM as part of the push for all companies to at least start thinking about this problem.
SBOM in this order specifically relates to the focus on software supply chain security. Supply chain attacks seemed only theoretical and something that was going to happen in the future and we are now all living in the future with SolarWinds, Dependency Confusion and Codecov all coming out in the past 6 months! Further portions attempt to develop a certification for secure software, and even lays out multiple explicit safeguards that companies should follow. These steps range from SAST / DAST to code signing to administratively separate build environments to vulnerability disclosure, encryption and more.
Consumer labeling for IoT Devices
Another exciting portion of this section is a consumer labeling program “to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices.” Think of the labeling similar to “energy star” labeling where it indicates whether software has followed specific security guidelines. With work from home here to stay and the proliferation of IoT devices with questionable security, this will hopefully encourage manufacturers to take security of their devices more seriously.
Establish a Cybersecurity Safety Review Board
For any event deemed necessary to create one, a review board with private companies as well representatives from the DoD, DoJ, CISA, NSA and FBI will be convened. The first such board will be related to the SolarWinds event and will be responsible for recommendations within 90 days of creation. The board will be required to develop an initial review within 30 days and their expectations going forward. The board is extended automatically every 2 years unless the President deems otherwise as it is an extension of the Homeland Security Act of 2002 which established the idea of advisory committees. As with much of this order, this codifies a great deal of disparate existing policy and procedures and explicitly provides authority and urgency to act on it. Do you think they’ll run a blameless post mortem? Perhaps if it’s an international incident they can run a Five Eyes Five Whys.
Standardize an Incident Response (IR) Playbook
This is another section creating uniformity among the many various standards, policies and procedures already in place, this one specifically relying on NIST standards. NIST published the Guide for Cybersecurity Event Recovery in late 2016 with likely varied uptake across federal agencies. CISA will have final say on all IR procedures ensuring that for every event that the procedures were followed correctly.
Endpoint Detection & Response (EDR) and Centralized SOC
EDR and threat hunting makes their way into the spotlight with a requirement of all agencies and even National Security agencies to implement a unified EDR solution. This will also require the heads of agencies and National Security to cooperate as well. For the civilian agencies, the data should be available to CISA, while the national security agencies will be required to produce a report on whether or not it should be centralized.
This directive will allow for a centralized visibility eliminating potential siloes across agencies. By having a centralized view, CISA will be able to spot trends and threats and detect operations like the Solar Winds breach sooner. This centralized monitoring will allow for a single pane of glass for CISA to gain unified visibility into all activity and bubble up issues sooner than later.
One of the major players in the EDR space, Tanium already advertises that they have five branches of the US military on their platform which should help with at least a portion of this order. This section continues the unification theme that has been continuous throughout the order as the government tries to execute security at scale against advanced persistent threats (APTs).
Log Everything with Assurance
The last major portion focuses on best practices around logging and assurance of those logs. With advanced threats already having gone deep into government networks, having assurance that the logs be immutable is paramount to ensure that the hunting will actually find threats. Logs without a guarantee of immutability, cannot be trusted when the threat actor has the capabilities to modify them. Additionally, having proper logging speeds-up forensics and reduces mean time to resolution. Standards around retention and quality of logs will need to be established and applied across all agencies for both on premise and cloud workloads as well as IT providers. Logs are core to Cyral’s implementation of data activity monitoring so we can only applaud that there will be standards implemented for any of those that are not there yet.
President Biden’s Executive Order on Improving the Nation’s Cybersecurity is a big, bold move aimed at standardizing and socializing the best practices that have been developed individually at multiple different agencies and levels. Zero Trust Architecture, cloud migrations, SBOM and EDR have all been advocated among those pushing the needle on security. This executive order though, puts the full weight of the federal government behind these initiatives that will hopefully move all of us forward. We have seen the devastating consequences and near daily leak of personal, private, R&D and interruption of our daily lives on systems that have remained insecure for too long. This executive order, when fully implemented, will hopefully stem the tide of attacks and crimeware that has overwhelmed our IT and OT infrastructure.