President Joseph R. Biden issued an “Executive Order on Improving the Nation’s Cybersecurity” on May 12 which sets forth numerous requirements for federal agencies and organizations doing business with the federal government. CompTIA issued a statement in support of this Executive Order on May 13. While there is a lot to like about this Executive Order, it’s not without some concerns.
Most notably, is a missed opportunity to call on private industry to adhere to many, if not all of the requirements on federal agencies, where applicable. It is clear that neither private industry nor government is able to successfully confront the cybersecurity threats they face. It will only be through improvements in how private industry and government work together that we will be able to gain the momentum away from the bad actors and further secure our connected networks.
We Need to Share Information Early, Often
I’m most pleased with the call to increase and improve information sharing between agencies. The sharing of cyber threat intelligence is critical to enable organizations to configure, deploy and most importantly, monitor their environments for signs of attack. The public-private partnership has never been more important. It is my hope that the call for improved information sharing within the federal government will naturally spill over to enhance existing public-private partnerships, mostly managed through the Cybersecurity and Infrastructure Security Agency (CISA).
Some of the mandatory reporting requirements could be troublesome, mostly on service providers to the federal government. Even so, I generally support the requirement as we have to incent, or in this case require, notification of cybersecurity events that could be indicators of successful attacks. Too many organizations, public and private, keep information about possible or known attacks close. I believe this is out of a concern that the organization will be “cyber-shamed” if they self-report without a complete post-mortem of the attack. It’s more important than ever that organization come forward at the first indication of concern, even if not fully verified. We have to share as much information as possible as early as possible if we can ever hope to gain the upper hand and move from reactive defense to effective offense.
A Call for More Cyber Investments, Training
The Executive Order also calls for a significant increase in reporting to Congress. While the goal is noble, I do have concerns that increased reports will simply add to an already significant volume of information being sent to lawmakers that, to date, has not produced meaningful improvements. As long as this reporting leads to real positive change, I will be able to get behind it, but I fear it will just create more noise and not the needed action that most industry experts agree on.
Certainly, an increase in funding to the Department of Homeland Security (DHS) and specifically CISA is needed. We have to make the investments to better secure our collective infrastructure. There are some concerns that this will lead DHS recruiting all available cybersecurity talent and worsening the increasing gap in skilled workers available for hire across public and private organizations. Time will tell if this concern materializes, but this is yet another reason why CompTIA’s workforce and training programs are critical to closing the massive gap in available skilled workers.
Seven Areas Where We Can All Improve
The Executive Order highlights seven specific areas in need of improvement. As I already mentioned, I am very pleased to see the removal of barriers to threat information sharing between government and the private sector being called out as the number one priority. The sharing of this critical threat information is critical to allowing the government and private sector to effectively collaborate on getting the upper hand against the bad actors. This is something that has universal support and certainly CompTIA and the CompTIA ISAO strongly support this and stand ready to help make this happen.
There is also a requirement for IT service providers to the government to share certain breach information. I agree that sharing this type of information is important in order to enhance the effectiveness of our network defenses. It will be interesting to see how this is implemented and what, if any, pushback comes from impacted service providers.
The second area of focus is implementing stronger cybersecurity standards across the federal government. This only makes sense and work done here will be directly applicable to private industry as well. Multi-factor authentication, zero-trust, encryption, and more are all table stakes when it comes to cybersecurity, yet far too many organizations still lag in fully implementing these and other important technologies. Securing cloud services and effectively monitoring those services for signs of potential attack are equally important to government and private industry.
The next priority focused on improving the security of the software supply chain. This is an obvious response to the SUNBURT (SolarWinds) attack and what we are still learning about its impact. The focus here is on getting software developers to implement more security around their development processes and code storage. It aims to create an “Energy Star” type label for software, to make it easy for acquiring organizations to know if the software they are purchasing subscribes to this baseline of software supply chain security.
The Executive Order will establish a Cybersecurity Safety Review Board, modeled after the National Transportation Safety Board (NTSB) which investigates significant events in the nation’s transportation sector. In the event of a major cybersecurity event, the Secretary of DHS would be able to convene this review board to be sure that lessons learned are not lost. Far too often, there are insufficient reviews (post-mortems) on significant cybersecurity events and there is a lost opportunity to learn from the event and help organizations across government and the private sector to improve their cybersecurity stance. This review board would be comprised of both government and private sector representatives, insuring the broadest possible expertise and communication of findings.
Like the private sector has found, government has recognized that there is a lack of standards around incident response. Organizations handle incident response differently and often based on the known severity at the time. That severity is likely to change as more is learned about the event. To help with this, the Executive Order calls for the creation of a standard incident response playbook that will help federal agencies properly respond to attacks using a well-defined plan.
To further standardization across the federal government, the Executive Order enables a government-wide Endpoint Detection and Response (EDR) system together with improved information sharing between agencies to improve the defensive posture of government networks. Currently, each federal agency is able to implement what EDR solutions they choose. This creates a lack of standardization, which flows through to a more complicated infrastructure to monitor these disparate systems. The establishment of a standard solution, including configuration, deployment, maintenance and monitoring only makes sense. Coupled with improved information sharing, government IT departments will be far better able to ensure that they system is maintained properly and evolving based on new information that comes to light.
Finally, the Executive Order calls for improvements to investigative and remediation capabilities across the government. This focuses on setting standards for logging and log review, to be sure potential risks are identified as early as possible. When coupled with improved reporting and information sharing this should lead to more effective response to threats, which is the goal the Executive Order seeks to fulfill.
Members of the CompTIA ISAO focus on and discuss these same issues. The challenge facing the federal government is not far removed from the challenges that many MSPs face in securing their own environments and the that of their clients. Standards and effective baselines are critical to gaining the upper hand in the cybersecurity battlespace. Government and private industry have a lot to share and learn from one another and while this Executive Order primarily focuses on the federal government, it does lay out opportunities for collaboration with private industry. This is why CompTIA supports this Executive Order and stands ready to help implement these recommendations across all of our member organizations.
MJ Shoer is senior vice president and executive director of the CompTIA ISAO.