U.S. President Joe Biden this week signed an executive order on improving the country’s cybersecurity defenses. The order represents the government’s response to the SolarWinds and other significant attacks carried out by foreign threat actors.
The executive order focuses on removing barriers to threat information sharing, adopting more modern security solutions (e.g. zero trust architecture), enhancing the security of the software supply chain by requiring developers to improve their security practices, establishing a Cyber Safety Review Board that will review and assess significant incidents, and standardizing the government’s response to vulnerabilities and incidents.
The executive order also requires government agencies to improve their vulnerability and intrusion detection capabilities, as well as their investigative and remediation capabilities.
Industry professionals have shared thoughts on various aspects of the executive order, including benefits and shortcomings.
And the feedback begins…
Austin Berglas, Global Head of Professional Services, BlueVoyant:
“Although the order highlights numerous areas of weakness in our nation’s security, it is simply too lengthy and proposes actions that are generally unattainable. For example Information sharing has been discussed for years, but we have yet to see a truly actionable plan that produces results. What is the return on investment? The government still has classification issues sharing actionable, real time intelligence back to the private sector. Supply Chain risk has been front and center with Solar Winds and others – the issue is that smaller vendors in the supply chain don’t have the human or capital resources to properly protect themselves – and by nature of the chain, all the rest of us.
Perhaps it’s time to devote resources to help secure these smaller companies that are so critical to the ecosystem. In addition, the order makes no mention of training or “cyberization” of the younger generation. Who is going to implement, manage, and monitor these recommendations? Where is the plan to fill a massive gap in the fight to secure our infrastructure – the human element.”
Paul Brucciani, Consultant, F-Secure:
“I’m reading the news of President Biden’s Executive Order using Google Chrome which together with the other Google apps comprises 2 billion lines of code developed and maintained by 25,000 developers.
It is hard to write error-free code. One bug per 1000 lines of shipped code is very good going; 15-50 bugs per 1000 lines of code is the industry average. Writing secure code is harder still. It is these flaws that are used in cyber attacks to compromise the security of the target’s It.
Consider then the context in which security software is produced. There are around 3,500 cyber security companies in the world of which 1,500 have received venture funding since 2017. Their primary aim is to survive by bringing to market as fast as possible a minimum-viable product and start gaining some market share, in the hope that they are bought before they run out of cash. The cyber security market is distorted. Free market economics do not apply. It is not the best products that sell, but the best marketed ones. Until we have an objective way to verify the efficacy of cyber security solutions, no amount of extra funding, heightened actions, or protocols, will make this problem go away entirely.”
Mark Carrigan, Senior VP of Global Sales Excellence, Hexagon:
“President Biden’s Executive Order, Improving the Nation’s Cybersecurity, is an important step to further protect our nation’s critical infrastructure, but should not be seen as a holistic solution to the threat posed by malicious attackers.
The Executive Order includes many laudable practices to improve our cyber security defense strategy, but is conspicuously absent of any mention of the federal government’s role in providing deterrence to malicious actors. An offensive cybersecurity strategy cannot be borne by industry. Companies are not in the business of taking countermeasures to disincentivize or punish attackers. It is the responsibility of the government to establish laws and strictly prosecute critical infrastructure cyber-attackers. We must send a strong message to the rogue elements and the governments who enable or ignore their activities that we consider cyberattacks on our critical infrastructure as a threat to national security. Without proportional consequences, bad actors, regardless of their motivation, will continue their malicious attacks. Their current financial gain is far greater than any fear of retribution.”
Bryan Orme, Principal & Partner, GuidePoint Security:
“This Executive Order is a broad sweeping in terms of both the scope of the order as well as the aggressive timelines laid out by the administration. Given the assumption that the agencies follow through with adoption of it, which is a large assumption, it should make a significant positive impact on the strength of US Cyber Defenses. The specificity of some of the controls and strategies that they call out should go a long way in terms of moving the US’s cyber defense posture from a primarily compliance-driven perspective to an actual risk based perspective. This will be a huge shift for most government agencies, but provided that they follow through with the Order I believe it will significantly increase the security posture and resilience of the federal government.
One potential area of concern is in the incident reporting requirements that are being mandated in the order. Rapid incident reporting is important, but accurate incident reporting after understanding the full scope of an incident is even more critical. For many agencies and contractors who do not have an incident response capability, or are lacking full visibility into the scope of an incident, this could result in a significant amount of false positives or incomplete information being reported just to meet the deadline.”
Amit Yoran, CEO, Tenable:
“This is one of the most detailed and deadline-driven EOs I’ve seen from any administration. In the wake of a seismic attack, like SolarWinds, this is incredibly encouraging to see.
Within the next year, all software vendors for the federal government must have an established software development lifecycle. This speaks directly to the gaping supply chain security issues that SolarWinds brought to attention — one broken chain link can bring down the entire fence. While these practices won’t prevent all supply chain breaches, it’s an important step forward.
Part of the new guidelines includes breach notification requirements for software suppliers. This forces much-needed transparency and accountability across the private sector which have been avoided for too long. This should be a welcomed change by all — technology vendors, government agencies and end-users.
However, the next and arguably most important step is implementation. While we’re encouraged to see cybersecurity play a prominent role in President Biden’s policy initiatives, we must now focus our attention on making this executive order actionable.”
Dr. David Brumley, CEO, ForAllSecure:
“The statement is correct in that too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. However, the Executive Order offers no real incentives to be proactive. Incentives are not just avoiding punishment when you fail; it’s about rewarding the people in the field who know the right thing to do, and work to go the extra mile to do it.
The order is nearly entirely focused on *reacting* to a problem, and public-private partnerships. There is not enough focus placed on preventing software vulnerabilities. DARPA spent $60M showing the world that it is possible to build a fully autonomous system that finds, fixes, and fields those fixes in a fraction of the time humans take, and at speeds necessary to prevent an adversary the opportunity window to exploit.
I’d ask the government to think in terms of economics: what could they do to incentivize preventative behavior. Research shows finding a vulnerability is 100x more expensive after a system is fielded — and that’s assuming it’s not exploited by an adversary. What investment can they make to make cybersecurity autonomous, like in the CGC, and move that closer from state-of-the-possible to state-of-the-practice?
One last thought: I am left wondering if an unintended consequence of this EO is that companies will be incentivized to actually keep things more of a secret, since any potential vulnerability could hit their bottom line.”
Garret Grajek, CEO, YouAttest:
“What is important to note is that none of the actions are forcing changes in private entities – they instead are focused on strengthening the practices and responses of our federal government systems, while providing a response plan to major attacks like the Colonial Pipeline hack. Nor is there an implementation or call for a government owned or supervised ICS network for America’s critical infrastructure.”
Eric Cornelius, Chief Product Officer, iboss:
“This Executive Order is a good first step but it is likely not going to materially change the threat landscape. While the order sets the stage, it is mostly focused on federal networks. But the fact is that nearly all of America’s critical infrastructure is privately owned and operated. If America’s national security interests are to truly be protected, we will need regulatory requirements across all sectors of critical infrastructure.”