US Cybersecurity Executive Order Says Incremental Improvements Will Not Give Us the Security We Need
by Oliver Rochford, Senior Director of Content Marketing
Background
On the 12th of May 2021, President Biden issued an executive cybersecurity order, the “Executive Order on Improving the Nation’s Cybersecurity”. The order came after a high-profile cybersecurity breach was disclosed on the 10th of May impacting a critical infrastructure provider, the fuel transport company Colonial Pipeline Networks. The breach forced the company to shut down its operations, severely disrupting the US oil and gas supply chain, with some reports stating that the flow of nearly half of the gasoline and jet fuel supplies to the US East Coast were cut off.
Of greater concern are reports that the breach was not even initiated by a state-sponsored threat actor, but instead resulted from a common ransomware attack launched using an off-the-shelf, cybercrime-as-a-service tool to extort money from the company.
The speed of response by the US government is laudable, and the amount of detail in the order makes it seem likely that this hasn’t just been drafted in the last couple of days.
In addition to wide-sweeping mandates on modernizing cybersecurity for federal information systems, the order also stipulates the creation of a Cyber Safety Review Board, similar to the National Transportation Safety Board, a milestone in acknowledging that cyber security can be regulated in the same way that other critical industries are.
The order covers both IT and OT systems, and outlines a range of different topics, including threat intelligence sharing, software supply chain security, and standardized federal playbooks and policies for vulnerability and incident detection, response, investigation, and remediation. More importantly, many of the mandates are not just for federal systems themselves, but also for suppliers and providers working with them, including cloud providers.
Especially for federal agencies, contractors, and suppliers, there are a few important things to take note of. For example, some very specific technologies and methodologies have been named, including improved incident detection capabilities, and federal-wide endpoint detection and response (EDR), and zero-trust initiatives. It is rare for technical regulations to be this specific, but the federal government seems keen to want to provide clarity and set a clear benchmark for everyone to understand and follow.
Summary of Executive Order Mandates
The precise implementation details in many instances are yet to be determined and announced, but the executive order already gives some insight into what we can expect.
Zero Trust and EDR
The specific mention of zero trust architecture in section 3 is a huge endorsement for the concept. The challenge of course is that it is an architectural approach that permits a large degree of freedom in the implementation. It will be interesting to see if and what dominant constellation of technologies and processes will evolve, and if that same set of solutions will migrate from the federal into the commercial space.
In section 7, the order also mandates the deployment of endpoint detection and response technology, to facilitate not just incident response, but also for threat hunting. There’s a tacit admission here that relying on static detections based on signatures or threat intelligence, essentially solutions that are predicated on knowing in advance precisely what a threat looks like, does not fully solve the problem. Especially in more critical environments, attacks are more likely to be tailored and targeted, meaning there is no prior knowledge. This requires smarter approaches, such as behavioral analysis and proactive hunting.
EDR especially is focused on near-term activity and is more concerned with ensuring that telemetry and detections are generated, not necessarily kept available and searchable, and especially correlated with other security data.
Cloud
The order specifically calls out the need to accelerate cloud adoption, with all three models (IaaS, PaaS, SaaS) embraced.
With the strong emphasis elsewhere in the Order on achieving better visibility (see sections 7 and 8), pushing for greater cloud adoption brings its own set of challenges. Cloud security monitoring is still an emerging field in comparison to endpoint and network. Any future recommendations will need to deliver useful and actionable guidance on how to ensure that security telemetry from cloud environments is also effectively generated, collected, and stored. Accelerating cloud adoption will require a full assessment of how to achieve the same level of visibility that is expected, for example from EDR, so that we don’t close one visibility gap only to open another.
Supply Chain Security
The Order will have huge implications for federal contractors, service providers, and suppliers.
The requirements are quite specific and include implementing a multi-factor, risk-based authentication and conditional access model (basically, zero trust), as well as conducting security monitoring. Federal partners will also in the future have to initiate and run a vulnerability disclosure program.
Establishing a Cyber Safety Review Board
Section 5 outlines the establishment of a Cyber Safety Review Board, similar to the National Transportation Safety Board, that investigates plane crashes.
This is a seminal milestone, making cybersecurity similar in importance to other critical infrastructure. More importantly, it also puts to rest the argument that somehow cyber security is exceptional and cannot be regulated like other industries.
Improved Detection, Investigation, and Remediation Capabilities
In addition to using EDR to facilitate improved detection and incident response, the Order also makes note of improved logging. Section 8 specifically speaks about “types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs”.
Don’t get me wrong. I work for a company that sells a next generation cloud SIEM, so this is really good news and a huge boost. At the same time, this part of the Order seemed like a cut-and-paste job from a much older document. Instead I would have liked to have read more about the importance of being able to scale log management, for example to do long-term historical analysis of log data, and also more about analytics, especially behavioral approaches.
No NDR, No SOAR
Network detection and response (NDR) is not mentioned at all in the order. It is not clear at this juncture if this is just an oversight in the order itself, or whether the final guidelines will also double down on EDR. Threat intelligence and SOAR also weren’t mentioned. It will be interesting going forward to see whether the prescribed solution set will grow in diversity.
Conclusions
While we have had many such frameworks in the past, for example NERC or HIPAA, their success has been quite mixed. The common joke is that many compliant organizations get breached. But of course, that slightly misses the point. Security frameworks are there to set a baseline standard and drive formalization, so that risk can be measured, compared, and managed. Whether a framework succeeds or fails always depends on the implementation and enforcement.
There are still a number of open questions, that we hope will be answered over the coming months:
- How will effectiveness be measured once it has been implemented?
The order does not mention anything about testing, such as using red teams or breach and attack simulation technologies to validate whether all of these controls are actually operated and configured effectively.
- How will the regulation be enforced, and compliance audited?
The mixture of public and private produces its own challenges. Private sector companies can be penalized with a financial fine for non-compliance, but how will this work for the federal agencies themselves?
- How realistic are the time frames?
Some of these time frames are difficult to say, especially without knowing what maturity everyone is starting from. How will suppliers and contractors be treated if they don’t make the deadlines? Will it even be viable for everyone?
Which brings us to the biggest question of all: What will this cost? And who is going to pay? Similar programs, for example the National Vulnerability Database (NVD) and the Vulnerability Equity Program, have been understaffed and underfunded in the past, despite lofty objectives.
Overall, the Order is a step in the right direction, and we welcome the efforts outlined. We wholeheartedly and fully agree with the statement: “Incremental improvements will not give us the security we need”.
We will be following this topic closely. And as more details become available, we will provide additional guidance and commentary.