Unpacking the President’s Executive Order on Digital Security
Last week this blog discussed the gap between what businesses can afford to spend on protecting their own data and what hostile governments can spend to attack them. We observed that the U.S. government is already helping to fill that gap and could do even more to assist in protection of both commercial and government data stores.
The Biden administration agrees, as it released an executive order aimed to bolster data security efforts across the board here in the U.S. This order is a good start, addressing several administrative and operational matters that could help the U.S. respond to waves of attacks on the digital aspects of our critical infrastructure. More will be needed.
An executive order is a blunt and limited instrument. It does not have the reach or consequence of law. The President has authority over the executive branch of government, and executive orders affect the country by changing the way federal agencies, from law enforcement to military to commerce to health care to agriculture, regulate themselves and the parts of the economy within their enforcement arena. These orders also serve as a policy roadmap to highlight the administration’s priorities for the future.
This Executive Order on security emphasizes one of the strategies we highlighted last week – public/private partnerships to share information and strategies. The administration proposes using both a carrot and stick to encourage/force sharing of private cyber breach information. The government acknowledges that companies often keep digital attacks quiet, not wanting the embarrassment or potential liability of admitting their business was targeted for cybercrime. The Briefing Room Fact Sheet for this order notes the hesitation of private businesses to share, and states “Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.” So the carrot is removal of contractual barriers and the stick involves requirements to share.
Executive orders have most impact on the day-to-day functioning of the federal government. To that end, the Executive Order emphasizes modernizing and implementing stronger cybersecurity standards throughout the federal system and improving software supply chain security. The last concept was highlighted by the SolarWinds attack where vulnerabilities in the software supply chain allowed Russian hackers access to highly sensitive government and business systems. The Fact Sheet says that the Order “will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market.” They plan to use the purchasing power of the government to force better security postures from software vendors across the board.
The administration also plans to improve detection of cybersecurity incidents in government networks by speeding the adoption of protective tools and practices, and implementing government-wide endpoint detection and response system. We are promised the old chestnut of improved communication and “intra-governmental” sharing that seems to be an acknowledged need noted by administration after administration. There can be sound security reasons for departmental silos, but sharing of information on attacks can only help.
One answer for this problem is creating a standard set of definitions and responses across all federal government departments, to act as a floor for minimum acceptable activity. “Recent incidents have shown that within the government the maturity level of response plans varies widely,” so a standardization can bring the laggards up to speed, and will also serve as a template for treating digital attacks in the private sector. Much of the rest of the Executive Order discusses methods of improving federal capabilities to detect, investigate and remediate cyber attacks.
One of the subtler but important points of the administration’s new position is to treat information security, both in and out of the federal government, as a national security issue. Not only is this a major change from the previous administration, which seemed to turn a blind eye to larger issues caused by cyber attacks – especially those arising from Russia – but it is a much-needed update to U.S. policy. As we glimpsed in the Continental pipeline ransomware attack this month, lapses in data corporate data security can quickly become national security issues. The pipeline was only taken offline for a matter of days before gasoline shortages were reported and panicked consumers started fistfights in service stations over the final drops in the pump.
Data security professionals have known for decades that the critical infrastructure of the U.S. economy includes several entire industries and the supply chains that support them. It is good to see the federal government not only catch up to this view, but build its policies around treating digital security as national security. Not every hack will bring the country to its knees, but we need to do a better job of building a security culture and a sense of solid data governance from top to bottom with our economy. The federal government can help kick-start this process.
To this end, I would direct true data nerds to the definitions of the Executive Order, which include sophisticated information security concepts like “Zero Trust Architecture” (“The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained.”), “Software Bill of Materials” (“It is analogous to a list of ingredients on food packaging.”), and “auditing trust relationship” (“an agreed-upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets.”). This is not your father’s data security discussion.
The writers of the order expect a new level of sophistication and rigor in managing digital systems going forward. And while that may not be all we need, it should make Americans more comfortable that the federal government has higher expectations for itself and for the rest of us.