It’s no secret that Nation-State attackers are targeting US government agencies and organizations. As seen in the Solarwinds breach and the more recent Colonial Pipeline ransomware attack, cybercriminals are more motivated than ever to harm US government agencies and their infrastructures.
Due to the United States facing different persistent and more sophisticated cyber-attacks, United States President Joe Biden signed an executive order (EO) on May 12 to improve the cybersecurity of the United States. This executive order seeks to increase its efforts in detecting and responding to different attacks and threat actors in the cyber espionage landscape.
This executive order outlines the Biden administration’s first step in preventing future cyberattacks that could exploit and diminish federal agencies and supply chain technologies. The executive order is proof of an increasing effort to modernize the US government’s cybersecurity practices. Some would suggest it as a playbook for how different federal agencies should respond to security incidents and how to improve the sharing of exploited information post a data breach.
Additionally, this executive order presents the idea that the US government will play a significant role as a purchaser of different cybersecurity solutions and services to ensure its security and provide investment in the private sector.
As the executive order registers close to 8,000 words, we don’t expect you to have the free time to read it thoroughly. To help, here are the five main key takeaways you need to know:
Improving Software Supply Chain Security
One of the most glaring and important takeaways from this executive order is their effort to improve the security of software. To accomplish this, the US government is setting a baseline of security standards for the development of software sold to government agencies. This requires every security vendor to provide and maintain more comprehensive visibility for their software and strictly enforce their security data that is publicly available.
Through this order, the NIST will issue supply chain security guidance for government bodies. Each government agency must comply with the guidance, and use it for software procurement contracts. The supply chain security guidance must include secure development environments (implementing proper authentication and encryption), using automated tools to validate trusted source code supply chains, checking for vulnerabilities in secure environments and more.
All government agencies must comply with this security guidance. If they are using any security solutions that don't comply, the solution must be removed. With this security guidance in place, government agencies will be able to quickly determine whether the software was developed securely, based on government standards.
Incident Reporting Requirements for IT & OT Security
The executive order strives to reform how information about threats and incidents is shared by removing contractual “barriers.” The federal government is working with IT and operational technology (OT) service providers that have shown value by providing more insights into cyber threat and incident information on Federal Information Systems. However, until now, there have been major restrictions on limiting the sharing of such threat data with government agencies who are investigating cyber incidents.
The executive order is designed to help surmount this hurdle by enforcing that all government officials review all the current security needs and requirements IT & OT service providers. This will allow the government to recommend different updates guaranteeing that the service providers are collecting and sharing their incident reporting data with any agency with whom they are working with.
Enhancing Detection of Cybersecurity Vulnerabilities
Another major takeaway away from the executive order is to improve the ability to detect malicious activity on federal networks. The United States Office of Management and Budget will publish a set of requirements for federal civilian agencies to deploy different cybersecurity solutions that will support the detection of possible vulnerabilities.
By enabling different detection and response systems, government agencies will have improved information-sharing capabilities within the federal government. If different agencies adopt slower and less consistent deployment of cybersecurity solutions and practices, it will provide the opportunity for cybercriminals to exploit and expose the different government organizations. With the help of active cyber threat hunting, remediation best practices and incident response services, government agencies will be more equipped for addressing incoming cyber attacks.
By adopting this new approach of detecting cybersecurity risks, the US government should become the leaders in cybersecurity adoption with strong threat detection and incident response in place which is integrated with a concrete intra-governmental data sharing system.
Modernizing Federal Government Security
Another key takeaway from the executive order is the strong emphasis on modernizing government agencies' cybersecurity by implementing security best practices. As stated in the order, within 180 days all government agencies are required to adopt multi-factor authentication and encryption “to the maximum extent consistent with federal records laws and other applicable laws.”
Additionally, the executive order also is pushing for government bodies to deploy an endpoint detection and response (EDR) initiative to “support proactive detection of cybersecurity incidents within Federal Government infrastructure”. The modernization of government agencies' security is coming in the wake of the ongoing efforts by the US government as they are grappling with cybersecurity issues.
Establishing a Cybersecurity Safety Review Board
The Executive Order will establish a Cybersecurity Safety Review Board, which will consist of government and private sector leads. The board will be modeled after the National Transportation Board (NTB) which investigates different events in the transportation sector. The cybersecurity safety review board will convene in the event of a major cybersecurity event to investigate and analyze how the security event occurred, the findings and advise the security recommendations for improving cybersecurity. The Board will report to DHS on how the government can improve response practices. This reviewal process will ensure that lessons learned from each major security event won't be forgotten.
Similar to the private sector, government agencies have recognized there is a major gap in the standards concerning incident response. The typical organizational response is to handle the incident response on their own terms and too often tag the severity with the known information at the time of the attack. This allows the tagging of a severity incorrectly and the severity will most likely change over time as more information of the security event will come out. To help improve incident responding protocols and understanding the true severity, the executive order is recognizing the importance of establishing a standard incident response “playbook” that will help government agencies to properly respond to different cyber attacks with a more concrete plan.
While the executive order is still fresh, we will witness how the federal government embarks on major organizational changes and initiatives needed to accomplish the goals of the executive order. As cyber threats continue to increase in impact and size, it will be interesting to see how NIST and other agencies will define the requirements needed for federal agencies in the federal supply chain space.
Here at SCADAfence, we are committed to working closely with our agency customers, as well as the technical partners whose integrations our customers rely on. We will continue to work together to help achieve the goals of the executive order and strengthen OT security posture.
If you’re interested in receiving a full PCAP-based risk assessment or want to learn more about how to measure and increase your security program maturity, please visit this page for a short demo of the SCADAfence Platform.