By Bahar Ferguson
Back in April, the U.S. intelligence community released its annual report containing an overall assessment of threats to the United States’ national security. It’s a report composed by 18 government agencies and while it includes regular foreign policy assessments on countries like Russian, China, North Korea and Iran, this year’s report contained something else, as well.
The 2021 report went into detail on the rapidly rising issue of cyberthreats and cybersecurity — which is no wonder, considering the recent actions of criminal enterprises and cyber-terrorist organizations. Even adversarial nation-states have worked to weaponize cybersecurity.
All of this means one thing: The government will have to act soon. And Pres. Joe Biden’s administration has recognized this.
Executive Order on Improving Cybersecurity
The key takeaway from the April U.S. intelligence report was the new world of potential hurt and challenges faced by everyone — from government cybersecurity experts to the average citizen trying to protect their identity and data online.
With that in mind, Biden issued an executive order on improving the country’s cybersecurity on May 12. The administration’s intent was clearly to galvanize private and public efforts in dealing, identifying, protecting against, deterring and responding to an increasingly complex array of malicious cyberattacks.
The executive order makes it clear that the administration has learned a few lessons from the recent cyberattacks. In essence, it signals two critical changes:
• Federal Cybersecurity: The executive order calls for better cybersecurity across all federal government systems. It promotes specific actions designed to modernize and update cybersecurity across all government agencies — like zero-trust architecture. In addition, the executive order wants to use the $70 billion at the disposal of the federal government for IT technologies and impel government bodies to implement DevSecOps solutions and include security from the ground up in all future software development.
• Threat Response: The executive order sets clear goals for more agile and effective responses by the federal government to any future cyberattacks. First, the order standardizes the threat response playbook for different government agencies, allowing them to work together in incident response. Also, it removes any contractual barriers for IT providers to share incident information with relevant government entities and compels them to report cyberattacks on time.
According to the president’s executive order, this work is a matter of national trust and security. The order states that the trust placed in the country’s digital infrastructure must be proportional to the transparency and trustworthiness of that infrastructure and the potential consequences if the faith turns out to be misplaced.
What Are the Effects?
It’s important to understand that this executive order is not a catch-all solution for cybersecurity threats. Dealing with increasingly diverse attack vectors in the future will require across-the-board change and constant vigilance.
It’s clear that the executive order is a step in the right direction. However, in the future, both the cybersecurity industry and the government will need to update their regulations, laws and corporate responsibilities and adjust to a borderless digital world.
With that in mind, what are the immediate and short-term effects of Biden’s executive order on cybersecurity? We can divide all the affected actors into three groups:
1. Federal government agencies, who will need to modernize their digital environment and cybersecurity practices.
2. Federal contractors, such as commercial, off-the-shelf software providers, who will likely receive amended cybersecurity standards as a part of their contract terms. In the future, they will be required to exhibit more transparency on cyber incidents. Paired with the Cyber Cybersecurity Maturity Model Certification (CMMC), many changes as it relates to regulations and requirements of government contractors are expected in this space.
3. The private sector. IoT device manufacturers and software developers will also be presented with new assessment standards and security requirements. Private contractors will also experience a new focus on security in supply chain software and updated consumer security labels on IoT devices and consumer software.
It’s important to note that this isn’t the first executive order on the nation’s cybersecurity. Six years ago, Pres. Obama’s administration issued an executive order with a similar intent; however, that previous executive order had a far narrower scope, mainly focusing on the possibility of sanctions towards malicious actors who represented a threat to the country’s cybersecurity.
The Biden administration has decided to make an effort to improve cybersecurity. The order’s impact will be felt soon enough, with the federal contractors being affected by the new standards first and then the new practices rippling through the rest of the related industries.
Implications for Federal Contractors
As we’ve mentioned above, the federal contractors from the IT industry will be most directly affected by the executive order. They will have three crucial mandates soon:
• Increase information sharing.
• Improve detection capabilities.
• Improve remedies and investigative capabilities.
The executive order dispenses with any contractual barriers for IT service providers to provide breach data that could affect government networks. Consequently, federal departments will be able to mount a more effective defense against cyberthreats.
Until now, defense contractors were the only ones with specific requirements for cybersecurity breach reporting. Now, the executive order extends the same requirements to any federal acquisition regulation (FAR) contract. Also, contractors will need to share and collect information related to incidents, vulnerabilities and threats and provide it to the FBI, CISA and other agencies for investigation.
Also, federal contractors will need to assist the government in improving its detection capabilities on federal networks. Information-sharing will likely be enhanced within the government, and a government-wide detection and response system will be enabled.
Finally, the executive order has added additional event log requirements for cybersecurity in federal agencies and departments. Cybersecurity Maturity Model Certification compliance will continue evolving and shaping the landscape for government contractors.
Implications for the Federal Government
Pres. Biden’s executive order also provides guidelines to the federal government in adopting cybersecurity best practices at a higher rate. Such methods include deploying essential security tools like encryption and multifactor authentication, a government-wide move to secure cloud services and a zero-trust security model.
The last part is vital because the administration has exhibited a solid commitment to establishing a zero-trust architecture. This is something that the business community has already been considering and the adoption of such architectures has increased since the increased attacks on software supply chains in 2020.
Now that the federal government has endorsed this kind of layered defense strategy, it is likely to become a leading practice for business leaders, becoming a significant part of their cybersecurity investments.
Cybersecurity Safety Review Board
The executive order has also created a cybersecurity safety review board that is co-chaired by private-sector leads and the government. After a debilitating cyber incident, it may convene to quickly create a professional analysis of the event and immediately make concrete recommendations on the subsequent actions for improving cybersecurity as a response.
Industry leaders expect this board to operate similarly to the existing National Transportation Safety Board, with its investigations working similarly to the NTSB’s work after an impactful transportation incident.
The cybersecurity requirements are continually evolving and growing into a broad number of industries. Whether your business is directly mandated or simply taking best practices, it is important to work with your IT partner to understand how you are complying with the necessary requirements or best practices. This process is not one that can be done and forgotten, but must be incorporated into your regular, ongoing business practice.
Bahar Ferguson is president of Wasatch I.T., a Utah provider of outsourced IT services providing tech support, cybersecurity, strategy and compliance consulting for small and medium-sized businesses.
