Alarmed by recent cyberattacks involving SolarWinds, Microsoft Exchange and now Colonial Pipeline, the White House is taking action to try to shore up the cyber defenses of the United States. On Wednesday, President Biden signed an executive order that aims to strengthen the nation’s ability to prevent and respond to cyberattacks that threaten vital assets and systems.
SEE: Security incident response policy (TechRepublic Premium)
Noting that the country’s insufficient cybersecurity defenses leave the public and private sectors more vulnerable to cyber incidents, the Executive Order on Improving the Nation’s Cybersecurity addresses several key areas for improvement. A fact sheet that attempts to break down the lengthy executive order (EO) details seven distinct actions that will go into effect.
The executive order comes in the wake of the recent ransomware attack against Colonial Pipeline, which delivers gas, heating oil and other forms of petroleum to homes and organizations across the East Coast. The attack forced the company to take certain systems offline, suspending all pipeline operations. Though Colonial has been bringing its operations back online, the incident clearly shows the vulnerabilities that exist in critical infrastructure and systems.
Will the new executive order make a significant difference in the battle against cyberattacks? Though that remains to be seen, it’s a step in the right direction
“We have an administration that understands and prioritizes cyber,” Cybereason chief security officer Sam Curry told TechRepublic. “This can, and will, make a difference and set a strong example of leadership. Cyber is now in the same conversation as energy and roadways at the federal level, and this is a significant piece of the executive order.”
Beyond the EO itself, specific aspects of it are receiving praise. Adoption of the zero trust model, which was mentioned frequently in the order, will treat all users as untrusted unless proved otherwise. That should set a high bar for enterprises to better protect their industrial control systems, according to Grant Geyer, chief product officer at cybersecurity provider Claroty.
The “Energy Star” type of label for software products will create financial incentives for developers to ensure that their code is secure. And the setup of a cyber safety review board aims to build public trust in software, just as the NTSB was established to foster trust in airplane travel, Geyer added.
However, like many government initiatives, the executive order faces key challenges if it’s to make a dent in the battle against cyberattacks.
First on the list is whether government agencies, which are notoriously slow to act, will jump on board the bandwagon quickly and efficiently enough.
“This executive order is a broad sweeping in terms of both the scope of the order as well as the aggressive timelines laid out by the administration,” said Bryan Orme, principal &amp; partner at GuidePoint Security. “Given the assumption that the agencies follow through with adoption of it, which is a large assumption, it should make a significant positive impact on the strength of US cyber defenses.”
Second, information sharing between the government and private sectors is a worthy goal. But it needs to be a two-way street, said Padraic O’Reilly, co-founder &amp; chief product officer for CyberSaint Security.
“Information sharing within the cybersecurity community has long been decried as something there needs to be more of,” O’Reilly said. “As the government looks to increase the communication between public and private sectors, they must work to ensure that it is a two-way street. The EO does acknowledge this need, however, historically private sector CISOs have felt that the information sharing ends up as a one-sided relationship.”
Sharing threat information is an area that does need further focus, according to Joseph Cortese, director of R&amp;D at A-LIGN. Adopting this type of standard could lead to bottlenecks within private companies that conduct threat intelligence. The volume of data required may not be fully understood and could complicate the ability to follow the order, Cortese added.
Third, the executive order applies mostly to government agencies and seems to have little or no direct impact on the private sector.
“This Executive Order is a good first step but it is likely not going to materially change the threat landscape,” Eric Cornelius, chief product officer at cloud security company iboss, told TechRepublic. “While the order sets the stage, it is mostly focused on federal networks. But the fact is that nearly all of America’s critical infrastructure is privately owned and operated. If America’s national security interests are to truly be protected, we will need regulatory requirements across all sectors of critical infrastructure.”
However, the order does encourage greater cooperation between the government and businesses. Further, any guidelines and requirements set by the government may trickle into the private sector.
“Recent ransomware attacks have been targeting US critical infrastructure, which is primarily owned and operated by private companies in collaboration with public sector agencies,” said Stephen Banda, senior manager for security solutions at Lookout. “The EO makes clear that government procurement of secure software will be a priority; the government’s purchasing power can send an unmistakable signal to the private sector that software security is an absolute must.”
Finally, is the order taking the right approach, or will it just complicate matters to the point that the specified actions fall through the cracks?
“It is impossible to tell if the problems we’ve been experiencing are the result of fundamentally broken systems or a failure to adopt technologies and frameworks that would have otherwise provided adequate security,” Cortese said. “Viewed through that lens, if we pile on more technology requirements that do not get adopted down the supply chain, we are no better off.”