Sage Advice - Cybersecurity Blog

The Executive Order on Cybersecurity

A Brief Foray into the Executive Order on Improving the Nation’s Cybersecurity[1]
by Gary Soucy, Tyler Cybersecurity, Senior Cybersecurity Advisor

Executive-Order

  • Why was the Executive Order written?
  • Threat Intelligence
  • Modernizing Governmental Cybersecurity
  • Zero Trust Architecture, Multi-Factor Authentication, and Data Encryption
  • Secure Software Development and IoT Testing
  • National Cyber Safety Review Board and Improved Incident Response
  • Investigation and Remediation
  • Protection of National Security Systems

Why was the Executive Order written?

Consider the recent string of supply chain compromises on the United States – we are under attack. Just look at the headlines: FireEye Sunburst attack, SolarWinds compromise, the Colonial Pipeline and JBS Foods ransomware events, and the multiple Federal Agencies that have been breached. The President called the Russian-linked attack on the Colonial Pipeline an act of cyberterrorism[2]. Our adversaries have made it clear that they operate outside international law and do so with impunity.

The Executive Order (EO) 14028 issued by the President on May 12, 2021, is an effort to:

  • improve the Nation’s ability to identify risks and vulnerabilities to its computer systems and those of its private sector partners;
  • prevent compromises from occurring to those systems; and
  • detect exploits as they are occurring, respond to those exploits efficiently, and effectively recover from them.

The EO is effectively re-writing how government approaches security. With a mandate to improve nearly every aspect of cybersecurity, from incident response, to risk management, and vendor management, EO 14028 improves the confidentiality, integrity, and availability (CIA) of our data.

Threat Intelligence

One notable requirement of the EO is to promote threat information sharing with contractors and private sector partners and service providers. Many existing contracts forbid or restrict the sharing of threats and incidents. Federal contractors will now be required to handle data responsibly, share relevant data with specified agencies, and collaborate on investigations. Knowing that third-party vendor security is often the vector for a data breach, this is an important step in improving government security.

Modernizing Governmental Cybersecurity

With the ever-changing threat landscape and ever-increasing sophistication and abilities of malicious actors, the EO requires modernizing Federal cybersecurity by improving visibility into threats and ensuring the protection of privacy and civil liberties. Outdated software and technologies need to be upgraded. Along with adopting cybersecurity best practices, the EO requires moving to secure cloud services; improving and centralizing access to data that drives the identification, analysis, and management of cybersecurity risks; and provides funding for the resources needed to achieve these goals.

Zero Trust Architecture, Multi-Factor Authentication, and Data Encryption

The EO requires implementing Zero Trust Architecture (ZTA). According to NIST, ZTA assumes that no implicit trust is granted to users or assets, regardless of location. In other words, the network is no longer the focus of security. Since so many assets, services, accounts, workflows, and other resources are located outside the network, security is squarely focused on those inherently insecure resources, including endpoints.

Multi-factor authentication (MFA) can significantly improve cybersecurity. In addition to something you know (password), authenticators are something you have (a fob, or app), and something you are (biometric). By adding the second factor, brute force password hacking becomes a lesser threat.

Finally, by encrypting data both at rest and in transit, the EO ensures the end-to-end protection of data throughout its life cycle. This will provide a greater degree of privacy, confidentiality, and integrity.

Secure Software Development and IoT Testing

In response to the lack of transparency of commercial software development and controls, the EO provides requirements for the implementation of mechanisms to ensure that software products operate securely and with integrity. This will include requirements for risk assessments, secure coding controls, and a Software Bill of Materials (SBOM) so agencies have transparency into a system’s development. In addition, the EO mandates the removal of all software products that do not meet these requirements. The EO also requires Internet of Things (IoT) devices and software to include a consumer labelling program indicating levels of security testing a product has undergone.

National Cyber Safety Review Board and Improved Incident Response

The development of a Cyber Safety Review Board will create what appears at first blush to be a National Cybersecurity Incident Response Team (IRT). This team will be made up of various Federal Agencies and Departments, in addition to private sector partners. The intention is to overhaul and standardize vulnerability and incident response procedures, improve coordination, and centralize a catalog of incidents and tracking of agency responses.

It also directs the Federal Government to improve identification and detection of cybersecurity vulnerabilities. An Endpoint Detection and Response (EDR) initiative will be designed to help with detection, active threat hunting, containment and remediation, and incident response. It is intended to include assurances that mission-critical systems are not disrupted; procedures for notification of vulnerable system’s owners; and the techniques allowed to be used during vulnerability testing of systems.

Investigation and Remediation

In addition to the improved intelligence sharing, the EO adds investigation techniques and procedures for remediating discovered risks and vulnerabilities. It specifically addresses event logging and mandates the development of policies and procedures for the types of logs to be maintained, duration of retention, and encryption.

Protection of National Security Systems

NIST defines National Security Systems as those systems that are specifically used for National Security, such as military command and control systems, weapons systems, military intelligence, etc.[3] The EO requires National Security Systems to adopt controls that are as good as or better than the requirements set forth in the EO.

With the safety and security of every American on the line, the Federal Government can no longer allow its adversaries to run roughshod through our computer systems, both public and private. Traditionally, the general approach to defending our Nation’s systems has been a reactive one, usually countered with an escalation by our adversaries. It is hopeful that EO 14028 may bring about a sea change and a more proactive approach to our cyberdefense capabilities.

[1] The White House. (2021, May 12). Executive Order on Improving the Nation’s Cybersecurity. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

[2] Herman, S. (2021, May 10). Russia-linked cyberattack on US fuel pipeline is 'criminal act,' Biden says. VOA.

https://www.voanews.com/economy-business/russia-linked-cyberattack-us-fuel-pipeline-criminal-act-biden-says.

[3] NIST (n.d.) Computer Security Resource Center. https://csrc.nist.gov/glossary/term/national_security_system.

Topics: Cybersecurity, Cyber Defense, Cybersecurity Awareness

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More