By Mark Lanterman
This past May, President Biden issued a document entitled “Executive Order on Improving the Nation’s Cybersecurity.”1 In light of the multiple recent large-scale cyber events—including the SolarWinds, Colonial Pipeline, and JBS Meats attacks—the order comes at a particularly critical time. How can our nation improve its cybersecurity posture and its response to incidents when they occur? How should agencies communicate with each other and share information?
The order lays out a roadmap to achieve progress in several key areas. The federal government must:
- adopt security best practices;
- advance toward zero trust architecture;
- accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS);
- centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and
- invest in both technology and personnel to match these modernization goals.
Given the rapid evolution of the Internet of Things and the adoption of new technologies within the federal government and government agencies, standardizing incident response procedures and cybersecurity measures is critical. The recent ransomware attack on JBS meatpacking plants strongly demonstrates how cybercriminals can take advantage of vulnerabilities in IoT devices to target critical infrastructure.2
The Biden order stresses the need for standardizing at numerous levels, including contractual requirements for third-party vendors, policies and procedures for cloud technology, and guidelines for enhancing software assessment and supply chain security. Standardization is a cornerstone of any strong cybersecurity program. In previous articles, I’ve discussed the often disjointed nature of organizational knowledge and procedures, especially in regard to new circumstances that affect security posture, such as cloud migrations and third-party vendor relationships. Standardization allows for better communication, response, and reporting capabilities, especially when faced with a large-scale breach. The order also emphasizes addressing weaknesses in software supply chain security and standardizing software testing and assessment requirements, a proactive measure in mitigating cyber risk.
The order further calls for a standardized response and vulnerability playbook incorporating NIST standards, a move that highlights the government’s movement toward improving its proactive and reactive measures. Interpreting the lessons learned in cyber incidents and making them actionable requires a high degree of coordination and centralization across agencies.
In addition to efforts to standardize, the order emphasizes the need to modernize cybersecurity measures as quickly as possible. Its timelines for compliance with critical cybersecurity measures include the implementation of multi-factor authentication and encryption requirements for data both at rest and in transit.
The importance of these measures is underscored by the fact that they are mandatory, and written attestations are required for instances of non-compliance. Classifying and prioritizing data help in determining appropriate processing and storage measures and in establishing appropriate resource allocation. Moreover, the order stresses the need for improved network security and early threat detection. Increased visibility into potential threats and threat hunting activities will contribute to the government’s efforts to mitigate cyber risk and control cyber events when they occur.
The order also highlights the importance of visibility and transparency in its cybersecurity measures. This effort extends beyond the government, however, to include the private sector:
“The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”3
The federal government’s commitment to increased visibility and partnership with the private sector is further illustrated by the order’s establishment of a Cyber Safety Review Board consisting of members from both the federal government and private entities. Information sharing between the federal government, the private sector, and vendors—as well as between agencies—is better enabled by removing barriers that would otherwise prohibit it as well as by taking steps to standardize cyber language.
The Biden administration order signifies a bold step toward more effectively prioritizing cybersecurity in the United States. Through standardization, modernization, and increased transparency in cybersecurity measures, the nation will be in a better position to improve its cybersecurity posture and respond efficiently to attacks.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
3 Supra note 1.