Biden Swings for the Fences
In response to recent incidents such as the SolarWinds hack and Colonial Pipeline ransomware, President Biden signed a sweeping executive order on cybersecurity. The longest such order ever, it addresses many facets of cybersecurity with aggressive deadlines. Its boldness and breadth drew praise from many experts. But a closer look at the executive order reveals many limitations.
The White House’s own fact sheet breaks down the order into seven key areas. Let’s take a quick look at each of them:
Public-private threat information sharing
The order updates contracts between technology suppliers and federal agencies to mandate threat information sharing with the purchasing agency plus other agencies to be named later, most likely including the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and elements of the Intelligence Community (IC).
Threat intelligence sharing barriers (silos) between most agencies were largely dismantled after 9/11. Mandating such sharing in supplier contracts will moderately improve federal visibility, but does nothing to improve such sharing with Critical Infrastructure operators such as Colonial Pipeline. Nor does it improve sharing within the private sector.
What’s really needed to get private sector intelligence flowing freely is confidentiality guarantees (including FOIA) and liability indemnification. We also need more sharing from government to business, which requires changes to how sensitive data is classified and clearances are issued. The Biden order addresses none of this. Our grade: C+
Zero Trust Architecture
The order requires federal agencies to adopt Zero Trust Architecture (ZTA) and better cloud security. Technical details will be defined by the National Institute of Standards and Technology (NIST) which has done significant work in these areas. Civilian agencies must also implement 2-factor authentication and data encryption within 180 days.
This part of the order is ambitious, perhaps overly so. ZTA is a high bar for any organization to reach, particular the average federal agency that’s struggling just to implement basic cyber hygiene. ZTA is a good long-term goal, but the initial focus should be on fundamentals like software patching. The encryption and 2FA authentication requirements are also good short-term goals. Our grade: B
Supply chain security
The order requires software suppliers get an “Energy Star style” cybersecurity seal of approval in order to do business with federal agencies. Once again the technical details are left to NIST, which has one year to publish standards on things like build environments, code reviews, vulnerability disclosure, and open source software.
The devil’s in the details (NIST standards) but in theory this could have prevented the SolarWinds attack. However, we must be wary of unintended consequences. For example, the requirement to “attest … to the integrity and provenance of open source software used within any portion of a product” could have a chilling effect on open source software reuse. That’s not necessarily a bad thing from a risk perspective, but it would drive up the cost of commercial software and delay releases. Our grade: A-
Cybersecurity Safety Review Board
The order calls for DHS to create a new board, modeled after the National Transportation Safety Board (NTSB), to review cybersecurity incidents in both public and private sectors. The order is vague on what the board’s scope or duties include, which incidents will be reviewed, how recommendations will be issued, and whether they can be enforced. There are many more cyber incidents than plane crashes, so the board will have to triage or risk getting overwhelmed. But if the board can shine a light on cyber threats and influence future prevention, it seems like a good idea. Our grade: B+
Federal incident response playbook
Every organization needs a “playbook” for responding to a variety of cyber incidents, carefully documented and tested before it’s put into use. The order requires a standard playbook be developed for use across all civilian agencies. “Agencies with cybersecurity vulnerability or incident response procedures that deviate from the playbook may use such procedures only after consulting with the Director of OMB and the [National Security Advisor].”
The difficulty here is that incident response playbooks must be tailored to each organization to be really useful. Names of people and departments, phone numbers, etc. so everyone involved know their roles and how to communicate. A “one size fits all” playbook for the entire federal government isn’t practical. A better approach would be to create a template or meta-playbook, while letting each agency customize its own playbook in accordance with best practices. Our grade: B-
Federal Endpoint Detection & Response (EDR)
The order requires all civilian agencies to leverage an EDR solution “centrally located [at DHS] to support host-level visibility.” Of course all organizations should have EDR or AV solutions on endpoint devices. But once again there seems to be a “one size fits all” mentality at work. Centralize the security incident event monitoring tool (SIEM) but let agencies choose their EDR solutions. If they all run the exact same EDR configuration, the resulting monoculture will be more vulnerable. Our grade: B
Federal logging and monitoring
All civilian agencies are ordered to activate logging on their systems, based on standards for log retention and management to be established by OMB in the next 90 days. Logs must be shareable between agencies, but there’s no indication of a single centralized logging infrastructure, leaving agencies some flexibility in how and what to log. Unlike ZTA, basic logging is fundamental and achievable. It could yield major benefits down the road, especially for forensic investigations. Our grade: A
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.