On May 12, 2021, President Biden signed an Executive Order (EO) on Improving the Nation’s Cybersecurity. It is a detailed overview of the Federal government’s plan to better secure America – and it calls out zero-trust as a major pillar of that process.
The Executive Order
The Executive Order can be seen as a response to the extent and effect of recent breaches (SolarWinds, Kaseya, Colonial Pipeline, etc.), and the acceptance that Federal departments and agencies are failing to adequately secure their systems. An August 2021 Senate Report titled Federal Cybersecurity: America’s Data Still at Risk comments, “This report finds that these seven Federal agencies [out of eight analyzed] still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”
The Administration’s conclusion is simple: “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
These ‘bold changes’ are outlined in the EO under eight sub-headings: improving threat information sharing; modernizing cybersecurity (accelerating the move to cloud and introducing a zero-trust architecture); improving supply chain security; establishing a Cyber Safety Review Board; standardizing the response to vulnerabilities and incidents; improving the detection of vulnerabilities and incidents; improving investigative and remediation capabilities; and an exemption for national security systems.
An EO is only mandatory for Federal departments and agencies; but the value and intent goes much further.
The purpose of an Executive Order
A frequent comment heard from CISOs in the private sector is, “If it ain’t required, it’s not gonna happen.” Requirements come from legislation, but legislation takes years to enact. Cybersecurity cannot wait for that. An EO is a partial short-circuit of this process – it specifies an instant requirement albeit only in the Federal sphere. The hope, however, is that the EO recommendations will also be adopted by the wider private sector.
To better understand the purpose of this EO, particularly in relation to zero-trust, SecurityWeek talked to Rear Admiral Mike Brown (currently president of Spinnaker Security and formerly Director, Cybersecurity Coordination at DHS with a history of involvement in the development of EOs), and David Pignolet (founder and CEO of SecZetta).
“An EO creates awareness,” said Pignolet. “Awareness drives resources. If it is important enough for the government to pay that much attention to it, then it is probably important enough for the private sector to do the same. So, the board is now paying attention to prioritizing cybersecurity strategies within the enterprise because it is a Federal mandate to do the same within the government.”
But you cannot describe the detail of prescriptive cybersecurity requirements within the confines of an EO – so, an EO doesn’t attempt to. Instead, it lays out a plan for how to achieve the intended result. An EO is the plan of a plan, in this case for improved cybersecurity. It is directed at Federal departments and agencies, but also aimed at the private sector; and particularly those smaller enterprises that may not have the resources to develop and implement their own plan.
The plan of a plan for zero-trust
The cybersecurity experts at the DOD, NSA, and DHS – who generally guide the opinion of the government – have clearly settled on moving to the cloud and implementing a zero-trust architecture as being the two most immediate and practical methods to improve the nation’s cybersecurity posture.
“As practitioners,” comments Pignolet, “we’re still trying to define zero-trust. It means different things to different people.” That’s part of the purpose of having a plan for a plan: “In the coming 12 to 18 months we’ll see the evolution of a real definition of zero-trust and the parts and the pieces that make up a zero-trust architecture.”
Brown uses the analogy of defending a house to explain the basic premise. “When we look at defending a house, and we compare that to cybersecurity, the strategy we used to see was that we not only needed to lock the front door, but we needed to lock the back door and all the windows.” That’s classic external perimeter defense.
“But we found it wasn’t effective,” he continued. “The zero-trust concept applied to the house means every door and window – including those inside the house – needs a separate key and authorization. Every room in the house, every cupboard, every drawer, needs to have a different focus of authorization and authentication.”
It’s no longer one set of keys for everything, but everything must have its own set of keys in a ‘trust but verify’ scenario that applies to everyone seeking access to anything. “But a lot of things in today’s world cannot effectively be controlled by humans alone. There are non-human elements in the environment – and that’s part of what the EO is trying to address – the operational technology inside this zero-trust strategy.”
The keys and locks to everything are just part of the problem – it’s also a question of who has which keys and when. The right people must have the right keys to the right assets at the right time – and that includes full-time staff, contractors, and suppliers. Supplier access is particularly important to mitigate against supply chain attacks. This will require a formal identity authority.
Protecting the credentials and their use must also be covered. “Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit,” says the plan of the plan.
As a very brief summary, we can see that a zero-trust architecture will require assets to be identified and micro-segmented; all authorized users identified, authenticated, and issued with only the keys they need on a least privilege basis (with the same principle applied to device-to-device access and supplier access); the keys to be created and stored securely; and use of the keys controlled by multi-factor authentication.
The EO is a plan to develop an integrated reference architecture that Federal departments and agencies must adopt, and under-resourced private companies should adopt, to successfully develop and implement a zero-trust approach to cybersecurity. “A reference architecture of how zero-trust operates is going to be defined by the Federal government,” says Pignolet. “This is a resource that private industry can use. Private sector companies don’t all have to go build their own reference architecture with their own interpretation of zero-trust – there will be a resource provided by the Federal government that defines it, at least in a governmental language, that private organizations can use to build their baseline architecture.”
Related: Industry Feedback on Biden’s Executive Order to Strengthen Cybersecurity
Related: NSA Publishes Guidance on Adoption of Zero-trust Security
Related: Zero-trust, We Must