United States announces Executive Order on improving the Nation’s Cybersecurity
This week, President of the United States, Joe Biden, announced an executive order aiming to boost resilience and reduce the country's vulnerability to cyberattacks..
In the official briefing call, a senior administration official stated that; ‘this executive order is about taking the steps necessary to prevent cyber intrusions from happening in the first place and second, insuring we're well positioned to respond rapidly to address incidents when they do occur.’
Here, Jennifer Fernick, NCC Group’s Global Head of Research, shares her thoughts on what it covers and how it will help boost cyber security.
A powerful and actionable mandate to meaningfully improve cyber-resilience
Not only does it incorporate some of the most important defensive tools we have (multi-factor authentication, encryption of data in transit and at rest, effective logging & monitoring, designing zero-trust architectures), it also clearly addresses software supply chain risk through a range of measures – including secure development practices and independent software build verification, attestations of code provenance, working to mitigate the risk of vulnerabilities in transitive dependencies, as well as the use of code review tools, static and dynamic analysis, software composition tools, and penetration testing to both remediate known vulnerabilities, and proactively identify as many novel (zero-day) vulnerabilities as possible.
It does not make the mistake of presuming that these defensive measures will always protect us
It specifically requires vulnerability disclosure programs, threat intelligence information-sharing, and incident response playbooks, to make it easier and safer for security researchers to help software vendors know about and fix security vulnerabilities in their software, as well as for organizations’ cyber-defense teams to share information with one another about emerging threats, and to have playbooks ready to respond when cyberattacks inevitably occur.
A powerful change to the entire tech eco system
The fact that this requirement applies to anyone wishing to sell technology services to the US federal government raises the bar for technology providers to improve the security of both their products/services, as well as of their internal operations, which has a downstream beneficial effect to all their customers, including those outside the federal government. Indirectly, this helps improve the security of private-sector critical infrastructure, and American (and global) business, writ large.
Explicit acknowledgement of real-world harms
This Executive Order also explicitly acknowledges the real-world harms that can come about from malicious behavior targeted at internet-connected physical systems (Operational Technology) as we’ve seen most recently in the Colonial Pipeline incident.
By considering the industrial internet and industrial control systems in scope for these protections, the government is explicitly seeking to mitigate against the many dangers that come from connecting everything in our lives –smart homes, medical devices, self-driving cars, utility grids and beyond – to the fragile Internet, which was definitely never designed to be secure, and yet whose security is a prerequisite to safety, stability, privacy, and resilience."