President Biden’s new cyber executive order, released late Wednesday, prioritizes situational awareness and resilience-building, two pillars of security architecture that shape our own understanding of the threat environment. And it moves the government towards a “zero trust architecture” policy, which could significantly mitigate damage caused by future attacks.
The executive order understandably focuses on companies that do essential business with the federal government, but it contains the seeds of more global standards-setting mechanisms everyone can benefit from.
One example: in its section on supply chain security, it requires the Secretary of Commerce to create the minimum elements of a Software Bill of Materials (SBOM) for every potential product or service sold to the government, which, when fully fleshed out, will require companies to spell out what software its own proprietary IP is built on, and then, secure the provenance and execution of that software in its product.
Another: requiring that companies employ multi-factor, risk-based authentication for everything it does, if it does any business with the government deemed critical. The focus on authentication is an improvement, but logs and MFA are only part of zero trust. Trust in identity providers in practice requires real-time analysis of authentication protocols which remain vulnerable to manipulation and forgery - like in Solarwinds attacks.
The same guidelines suggest that companies, when possible, employ automation to dynamically assess risk to its software, and employ “practices of least privilege, network segmentation and proper configuration.”
The emphasis on endpoint detection and response (EDR) found in section VII alongside consistent logging is an essential part of cyber defense. Since EDR solutions are still easily bypassed by post-exploitation tools and techniques, again as demonstrated in Solarwinds, authentication related observation and controls above and beyond log collection and retention will in fact be a cornerstone of any effort to strengthen the resilience of our networked commons.
The flashiest new measure from a policy perspective, the creation of a Cybersecurity Safety Review Board, would operationalize real-time collaboration between the government and industry as major cyber incidents arise. The most important part here in practice will be more disclosure, and more timely disclosure, of details about breaches and incursions. Better data benefits public and private sector efforts.
Finally, we think the development of a “green star” type label system for software could enhance the public’s trust in software - but only if it is kept up to-date as software is deployed and ages. Software is not like manufacturing - it is more akin to farming or gardening where continuous tending and nurturing may vary widely as storms and pests change in nature, approach and intensity.
The E.O. says little about cyber insurance related standards or obligations; we hope that Congress steps into the void to provide more legislative guidance on topics like cyber insurance payments to ransomware operators, and it, because of its scope, does not apply to state and local governments, tribes and territories. The executive branch and Congress should continue to operationalize the general recommendations spelled out by the Cyber Solarium Commission, and the administration should attempt to communicate to the public as concretely as possible the lessons it learns from the many reviews its executive order calls for.
The EO is not a comprehensive response for the symptoms of a society that doesn’t take cyber resilience seriously enough. Notable gaps remain in this EO and other government initiatives. It is a step forward, but details matter and initiatives like zero trust which are directionally accurate will require tremendous and detailed effort to align good concepts with pragmatic and practical solutions that are aligned with how the underlying technologies actually work in the real-world.