US government systems and critical national cyber infrastructure seems to be falling prey to an ever increasing amount of attacks. One of the most common threats currently faced is ransomware attacks, often orchestrated from within Russia or other hostile nations.
The recent Colonial Pipeline hack was a major wake up call in terms of the disruption these attacks can cause, by shutting down the nation’s largest fuel pipeline. What’s more, basic but robust data security protocols could have prevented this. Hackers gained access using a single compromised password. If only multi factor authentication was in place, they would have been stopped in their tracks and millions of dollars of economic disruption would have been avoided.
Thankfully, the White House has heeded this wake up call and in May President Biden issued an executive order (EO) entitled “Improving the Nation’s Cybersecurity.” This aims to bring all government systems, and by extension government contractors and supply chain vendors, up to speed on their data security protocols.
Some of it is basic stuff that all reputable software deployed in sensitive use cases should already be doing - such as encrypting data and using two factor authentication. Whereas other parts of the EO focus more on big picture threat detection and management. Here’s the complete list of objectives, taken from the EO:
For government contractors or supply chain vendors wondering where to start with this, here are 3 key takeaways from the EO.
Information Technology (IT) and Operational Technology (OT) providers that provide services to the government, namely to federal departments and agencies, will need to meet new requirements with regards to the collection and storage of cybersecurity information.
This information will need to be shared with government agencies when attacks occur or threats are detected, and which pose a threat to government systems. The Cybersecurity and Infrastructure Security Agency (CISA) will be responsible for collaborating with businesses and remediating threats.
Aside from those services defined as IT or OT by the Executive Order, a further category of service provider defined as information and communications technology providers (ICT) will be required to quickly report any cyber security incidents involving software used by the government.
While the reporting requirements are less onerous than with IT or OT providers, ICT providers will still need to ensure processes are in place to support this. This is especially pertinent as it could cover a large range of small businesses who may not currently have such protocols in place.
New standards for secure software development are currently being created by the National Institute of Standards and Technology (NIST), in conjunction with government and industry. Complying with these standards will then become a prerequisite for all federal software procurement.
Given the enormous amount of software used by the government, no software developer is going to want to be locked out of selling to them. Therefore, the new NIST standards, once published, are poised to become the default data security standards for commercial software.
Regular consumers are also considered in the EO - with IoT devices being able to be certified as secure if they pass the standards developed by NIST. This is aimed at better educating consumers when choosing software.
Government contractors will need to start working closely with their supply chain vendors, to ensure their vendors are incorporating the requirements of the EO. Vendor risk assessments that were completed during initial onboarding or during the previous data security review period will need to be revised to ensure they cover the EO’s requirements. Areas of focus here should include data encryption standards and multi factor authentication policies and procedures.
Legal counsel will also be required to review and most likely update existing vendor service contracts. Businesses will likely want to make the key points of the EO contractual terms with vendors, to ensure compliance, but also to make sure any clauses standing in the way of the EO’s objective are removed.
For example, as the EO makes it clear that threat information needs to be shared between private companies and government agencies, confidentiality and data processing clauses will need careful consideration. This is so they don’t prevent the necessary data sharing with government agencies, but while still also providing the requisite level of encryption and anonymity.
The basics contained in the EO are long overdue so this is a welcome step in the right direction. And while the NIST secure development standards are yet to be published, creating a default standard for developers to base their security around is a no-brainer and will bring the US market closer to other regions such as the EU that are much further along this road.
Threat information sharing between the private sector and government agencies, and remediation by CISA is the far more complex part of the EO. How organizations facilitate this remains to be seen. However, as long as security officers start planning this now, they’ll have plenty of time to implement before this becomes mandatory.