September 10, 2021
With the recent signing of the Executive Order on Improving the Nation’s Cybersecurity (14028), the Biden Administration ushered in a new federal emphasis on cybersecurity hygiene and correctly implementing current and new requirements governmentwide. Motivated by “persistent and increasingly sophisticated malicious cyber campaigns” that threaten the nation, the administration crafted this executive order to address prevention and protection of government systems and critical supply chains against malicious cyber infiltrations.
The order also stresses the importance of conducting thorough forensic examinations after attacks happen to derive lessons learned that can then improve future deterrent efforts. Recent cyber infiltrations of critical infrastructure and other systems have shown the increasingly sophisticated means by which state-sponsored actors are adapting to current U.S. cyber protections. This EO could not have come at a more pressing time.
The order calls for “bold changes and significant investments,” rather than incremental improvements. Significantly, it emphasizes the role of the private sector, which must also adapt to and address rapidly emerging threats. Private companies own much of the critical infrastructure and develop, manufacture, and operate much of the technology the federal government uses. The order calls for transparency in the digital infrastructure as a means to foster trust,, which affects industry as well as agencies.
With the bold changes outlined in the EO, agencies need a structured managed process to implement the changes. The management structure should follow industry best standards and create transparency along with facilitating a strong communication process. This will reduce the risks of implementing change and creates efficiencies. We believe Agile methodology offers a proven and dynamic approach that facilitates transparency, communication and delivering on the objectives.
To that end, this EO makes the case for ending contractual barriers that limit sharing information between public and private entities. For example, service providers often have access and insights into cyber threat and incident information on federal systems, but are unable to share it with federal agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI, due to contract terms.
From concept to reality
The order primarily focuses on setting timelines for agencies to submit plans that accomplish various objectives. Although light on specific strategies and technologies—tasking the responsible agencies with developing individual approaches—the cyber EO does advocate for stronger implementation of cyber requirements agency-wide, including cloud security, zero-trust architecture, endpoint detection and response and multi-factor authentication. These provide a powerful starting point for cybersecurity improvements and puts the onus on agencies to take ownership of their cybersecurity postures. The order empowers—and requires—chief information officers (CIOs) and chief information security officers (CISOs) to take the lead.
The order encompasses the whole of the U.S. federal government in many of its provisions. For example, the drive to remove the obstacles to information sharing include amending the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) as needed to ensure contracts enable and require service providers to collect and share data with the relevant federal organizations.
For agencies to meet the EO’s objectives, cybersecurity should exist at the very beginning of product design, project planning and digital transformation. In today’s threat environment, security should be a core component of any technology deployment, not something to add on along the way. Mandates that apply after the fact inevitably prove less effective, and more costly, than a security-first strategy.
The order does call for using the purchasing power of the government to incentivize industry to build security into software. However, security also needs to be at the forefront of project planning, solutions architecture and any digital transformation initiative. Further, organizations should not limit the scope of security concerns. Security extends beyond endpoints and data. A holistic security strategy addresses the entire enterprise of technology connected to the network.
A holistic strategy also addresses the human aspect of cybersecurity. Every agency or company employee with access to a network presents a potential point of vulnerability. While cyberattacks are growing in sophistication, simple social engineering techniques, such as phishing, are still common and effective. Recent studies have found that breaches attributed to insiders have increased 47% since 2018, mostly due to people behaving naively or carelessly. Training and awareness are indispensable as part of a holistic security strategy to modify human behavior.
The EO does suggest some technological measures to mitigate such insider risks, including multi-factor authentication and zero-trust architecture. Our experience has shown us that utilization of technology combined with training creates a stronger cyber posture for the organization. With the implementation of automation and machine learning tools, you can monitor your users to reduce behavior that creates vulnerabilities. We suggest considering these as complements to training and education rather than solutions in themselves . The tools are useful, but when people understand how their actions contribute to a stronger cyber defense, they are much less likely to make mistakes out of ignorance. When organizations minimize unintentional security errors, only intentional and malicious insider threats are left—and are then easier to detect and identify.
With the executive order calling for updates to the FAR and DFARS, we also recommend updates in cyber technology, such as machine learning and artificial intelligence, to monitor, protect and hunt for threats. As we all know, this is an area for continued growth in government and industry and also an area our near-pear competitors are actively investing in as well. Today and into the future, organizations must continually drive the utilization of new technologies for protection. The growth of quantum computing helps with threat awareness, protection, insider threat monitoring and management of information. Just as defenses grow stronger, so do the threats. They will continue to become more complex, targeting more data, infrastructure and individual people.
To thwart cyber threats and provide the next generation with effective cyber solutions, CIOs and CISOs must borrow a command-and-control approach from the military and take charge of the entire IT eco-system.
Using an Agile approach
Security management will benefit from using an Agile methodology. Agile provides a key strategy for maintaining security in a rapidly evolving environment. The ability to shift, adapt and respond to security threats and mitigate vulnerabilities requires an agile approach. DevOps practices such as continuous integration, automated testing, continuous delivery and continuous deployment increasingly help federal agencies speed up software delivery. DevSecOps provides a security-focused approach throughout the development process when implementing new tools, resulting in a more secure end product.
As with infrastructure or your enterprise, security in DevOps remains critical and should be deployed from inception. DevOps does not inherently put security in a position of primacy, where it needs to be. DevSecOps—or SecDevOps as some term it—helps move the mindset to a security-first stance with awareness of downstream security effects of decisions.
Build a framework with enterprise architecture
Federal organizations can help eliminate silos by implementing enterprise architecture, which helps to ensure coordination between various components of the organization. In the interest of making cybersecurity holistic and effective across an agency or department, EA coordinates the moving parts. While the executive order does not use the term “digital transformation,” much of the necessary reform to meet its cybersecurity goals call for just that in many departments and agencies. Enterprise architecture provides a solid foundation for digital transformation and, therefore, is important for making “bold changes and significant investments” that the EO envisions.
Using enterprise architecture as a framework, an agency can define a strong cybersecurity posture for emerging technology. While established technologies need attention too, emerging technologies are, by definition, less well characterized and potentially more vulnerable to cybersecurity threats. Enterprise architects must support the definition of boundaries and constraints for experimentation with emerging technology to form a strong cybersecurity posture.
Open-source software components present a similar challenge. Common in enterprise software and solutions; open-source components provide ready-made libraries, frameworks and software modules for low cost. However, because a user community builds them, they are not always well documented or consistent in their development. This makes open-source an attractive target for threat actors as a mechanism to inject malicious code into components used in commercial software products.
A third-party management (TPM) program can create and enforce uniform, enterprise-wide policies and processes for managing third-party software. Regular security scans and prompt updates are important practices, for example, but less effective if the entire enterprise is not coordinated. A TPM program meshed with enterprise architecture provides a holistic strategy that puts the CIO or CISO in direct charge of ensuring protection from attacks.
Address the critical infrastructure
Federal organizations should be aware of the critical infrastructure, even when the mission at hand does not directly tie to it. Successful cyberattacks against power grids, communications systems or other critical infrastructure components could cripple the nation for an extended period.
First defined in 1996, critical infrastructure refers to those systems so essential to the United States that having one crippled would seriously affect national security, the economy, public health or safety. Sixteen sectors are now included in the critical infrastructure (full list.)
The public-private partnership aspect is important in critical infrastructure, as the private sector owns most of it. As NIST moves to strengthen cybersecurity controls, other aspects of the EO, such as information sharing and supply-chain security, also serve as key components.
The executive order indirectly addresses two components of the critical infrastructure—information technology and the defense industrial base—particularly in a section on securing the supply chain for “critical software.”
However, the entire critical infrastructure is important, and information technology plays a key role in every critical infrastructure component. It also highlights where the government and private sector coordination and collaboration are especially important.
Separately from the executive order, the National Institute of Standards and Technology (NIST) is preparing a new set of standards for security and privacy controls for information systems. Known as NIST SP-800-53 Rev. 5, the revised document is intended to develop a “proactive and systematic approach” to cyber deterrence.
Build security from the start
Maintaining a security-focused approach to development and deployment is essential to keeping security a core component, both of any individual deployment and the IT ecosystem as a whole. It is the first step toward continuous monitoring and detection of anomalous activity and behavior.
Organizations have to take a multi-layered approach to cybersecurity. For external threats, security starts at the outer edge of the network. Perimeter and endpoint security combine to block common breach methods. Perimeter security monitors traffic to detect malware, while endpoint security analyzes the behavior of devices on the network to spot unusual patterns that can indicate someone has breached the digital wall.
Command and control is “[t]he exercise of authority and direction by a properly designated commander over assigned forces in the accomplishment of the mission,” as the Department of Defense defines it. Here it refers to agency CIOs and CISOs empowered to oversee a proactive, holistic and pervasive cybersecurity strategy, making bold changes in the face of ever-increasing threat.
No single solution exists for this pressing problem. No one executive order, piece of legislation, NIST document, software methodology or training program will defeat the threat. It takes all of this and more, under the watchful eye of experienced and innovative cybersecurity professionals who come to work every day prepared to respond quickly to emergent situations.
This very real threat and potential consequences of failure are catastrophic, but the federal government is no soft target. As Biden’s order emphasizes, the private sector has to harden as well, especially those private concerns that are responsible for critical infrastructure, software and other at-risk domains. Together, government and industry can protect America’s assets, now and in the future.
This article original appeared in the Summer 2021 edition of Service Contractor Magazine