Why should I care about the Cybersecurity Executive Order?
The recently published Presidential Executive Order on Improving the Nation’s Cybersecurity, while its most direct impact and focus is on cybersecurity practices within the US Government, has far reaching effects on companies doing business within the US Government and even those that do not. Cybersecurity and cyber threats impact us all. The EO is also the most comprehensive cybersecurity-related order of its time and can be used as a model by companies throughout the US and beyond. This article breaks out the key milestones and objectives directed at US Government agencies, discusses the relationship between public and private sector when it comes to cybersecurity, and covers key points on other related US Government activities surrounding cybersecurity not specifically addressed within the Executive Order.
Cybersecurity in the Federal Government Today
Prior to the Presidential EO, a unified vision for cybersecurity did not exist in the top levels of our government, nor did a centralized coordination of efforts. Instead, it was managed at the agency-level. Thus, the EO is a big deal and is an exciting step forward. There are several government agencies whose mission includes cybersecurity and whose leaders are appointed by the President. These agencies include the Department of Homeland Security (DHS), Critical Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, Defense Information Systems Agency (DISA), Central Intelligence Agency (CIA), and the Department of Energy (DoE), as pictured below. There also some cyber related programs that come from the Government Accountability Office (GAO) and the Office of Management and Budget (OMB), which report cyber failings and manage the cybersecurity-related financial budget of the government.
Figure 1: A Sample of Cybersecurity-Focused Agencies
However, the challenges of cybersecurity being spread across agencies is that there can be conflicting missions and a lack of information sharing. For example, the NSA is predominantly an intelligence-gathering mission with some offensive penetration testing tasks. Meanwhile, CISA and DISA both have primarily defensive missions, charged with defending against offensive cyber operations. And, confusingly, the FBI is expected to defend and assist the private sector in the response to cyber-attacks while also being known to use offensive cyber tools to conduct their investigations such as the Network Investigative Tool (NIT), which is essentially a government-authorized Remote Access Trojan used to spy on target devices. Thus, cybersecurity within the executive branch of the government is disjointed; and the EO is working to solve this challenge.
What’s in the Presidential Executive Order on Cybersecurity?
The Presidential Executive Order on Improving the Nation’s cybersecurity, published in May of 2021, is lengthy and written in typical government memorandum or directive formats, making it somewhat challenging to digest. There are eleven sections, each with a myriad of paragraphs and sub-paragraphs directing agencies of the Federal government to take specific actions as well as requesting private sector individuals to contribute assistance to the Federal Government through partnerships with the government. What’s nice about the EO document is that it’s summarized by a fact-sheet, published at the same time as the executive order, highlighting the seven items that make up the objectives of the order:
Executive Order on Improving the Nation’s Cybersecurity
Remove Barriers to Threat Information Sharing Between Government and the Private Sector.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government.
Improve Software Supply Chain Security.
Establish a Cybersecurity Safety Review Board.
Create a Standard Playbook for Responding to Cyber Incidents.
Improve Detection of Cybersecurity Incidents on Federal Government Networks.
Improve Investigative and Remediation Capabilities.
We will cover each objective in some detail here and show which section each objective ties back to in the full EO.
1. Remove Barriers to Threat Information Sharing Between Government and the Private Sector (EO Section 2)
The reason this objective is so important is that there are situations where a private company may be aware of specific threat intelligence on an existing threat that the government is not aware of. Depending on the nature of the partnership or contract between a company and the government, they may not be required to share that intelligence directly with their government customer. Similarly, they may in fact see a live threat, and notify their customer accordingly to immediately respond to the threat, but they may not be inclined to share what led to this discovery with downstream government agencies.
Another component of information sharing that, up to this point, has been disjointed is the lack of cohesive Vulnerability Disclosure Programs (VDPs) within government agencies. However, that is changing. Security researchers have not given attention or consideration to government agency resources in the past because there’s no sound reporting mechanism to report a discovered vulnerability. There has been a VDP for the DoD since 2016, but it only addressed public-facing websites, and was only recently expanded to include all public-facing information systems, in early 2021.
This disconnect in intelligence sharing and threat reporting is being addressed by the directive to the Director of the Office of Management and Budget to recommend updates to the language of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) language. This directive had a 60 day deadline which has since passed with the next deadline set at 90 days from receipt of recommendations from OMB (on October 12th) for FAR council to review proposed contract language and publish for-comment proposed updates to the FAR. Other related requirements include DHS and CISA efforts similarly to define the types of incidents requiring reporting by service providers to CISA/FBI.
Thus far, to improve on threat sharing activities, CISA has coordinated a government-wide vulnerability disclosure program via BugCrowd where a number of agencies have functioning VDPs available and linked within that platform. Additionally, CISA has implemented a process to receive vulnerability reports directly detailed here.
Of course, from a private sector standpoint, these programs and platforms may take some time to see real mainstream adoption. The Federal Government doesn’t have a great track record with regard to privacy, so the public-private sector relationships may need to have additional regulatory controls in place to ensure that the government isn’t going to abuse or release private-sector research.
2. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government (EO Section 3)
This section includes the introduction of Zero Trust Architecture and moving to secure, FedRAMP cloud environments. Zero Trust Architecture is a fairly new architecture model, principled by the “never trust, always verify” notion. The premise is that at any given time, no single device, and no single user is ever inherently trusted, and must always have their presence and access levels verified.
One challenge that will face the whole of government in adopting Zero Trust Architecture is a requirement to have a holistic understanding of all entities within your domain. That is to say, they need to define the “protect surface” by identifying and classifying every application and user. The government will need to grasp “what is talking to what” 24/7/365 throughout the enterprise, and having a strong IT Asset and Configuration Management practice in place is crucial.
This section of the EO also directs deployment of multi-factor authentication and encryption, and fully functional cloud-computing environments. This section gives CISA oversight to lead the remainder of Federal Civilian Executive Branch (FCEB) agencies in these tasks. The directive includes a requirement for heads of agencies to provide reports on the progress of their adoption and continuing to do so until they’ve fully adopted all of the measures prescribed.
The deployment of Common Access Cards (CACs) as a standard authentication mechanism throughout many information systems used in the Federal government gives the government an advantage in terms of multi-factor authentication and encryption. CACs are a government-implemented smart card technology, which utilizes Public Key Infrastructure (PKI) to produce certificates that encrypt and decrypt communications as well as digitally sign documents and e-mails. CACs enable physical access to buildings and other controlled spaces and provide access to computer networks and systems. Thus, the infrastructure is already there, it just needs to continue to be fine-tuned, and integrated within the whole enterprise, across all domains and networks.
The objective of this section is to develop an “Energy Star” type of label or grading system, intended for the government and public at large, to be able to quickly determine whether software was developed securely. This system will include minimum standards for testing of source code as well as recommended types of manual and automated testing.
Supply chain security has been in the headlines a lot over the last year with a number of notable high impact attacks. For a deeper dive into how organizations can manage the associated risks and see a specific example of how an “Energy Star” grading system might be implemented, take a look at my article here.
This section of the Executive Order requires NIST to solicit input from all appropriate actors, to identify and develop existing or new standards and best practices regarding supply chain security. Preliminary guidelines developed from these responses are required six months from the date of the Executive Order (November 2021).
4. Establish a Cybersecurity Safety Review Board (EO Section 5)
The establishment of a Cybersecurity Safety Review Board, modeled after the National Transportation Safety Board (used to review airplane crashes and other major transportation incidents), is directed in section 5 of the executive order. This board will be co-chaired by government and private sector leads and will convene following significant cyber incidents to analyze what happened and make concrete recommendations on improving cybersecurity to prevent future incidents. Convened by the Secretary of Homeland Security, the review board will initially review activities that prompted the establishment of a Unified Coordination Group in late 2020, which provides coordination between and among federal agencies on significant cyber incidents. The board’s initial review is also, in part, a response to the SolarWinds compromise of US Government networks.
5. Create a Standard Playbook for Responding to Cyber Incidents (EO Section 6)
This directive seeks to standardize procedures across all FCEB agencies to ensure a more coordinated and centralized cataloging of incidents and tracking agencies’ progress toward successful response. The directive mandates that CISA develop a playbook to be used in vulnerability and incident response activities for information systems within all FCEB agencies. This playbook is expected to be released within 120 days of the executive order, on or around September 2021.
Concurrently and in line with the establishment of a Safety Review Board, as well as in partnership with public and private sector stakeholders, CISA has formed a Joint Cyber Defense Collaborative (JCDC) intended to promote national resilience coordination action across federal agencies, state, local, tribal, territorial governments, and private sector entities.
6. Improve Detection of Cybersecurity Incidents on Federal Government Networks (Section 7)
This initiative brings up the concern of Endpoint Detection and Response (EDR), which — through automation — detects and investigates suspicious activities on hosts and endpoints and allows security teams to quickly identify and respond to threats. The EO directs CISA to provide recommendations to OMB to implement a central EDR initiative that supports host-level visibility, attribution, and response on FCEB information systems. The initial recommendation had a 30-day deadline. The next deadline is within 90 days of receiving those recommendations, where OMB will issue requirements to all FCEB agencies to adopt a Federal Government-wide EDR approach. These requirements will support CISA’s capability to engage in cyber threat hunting, detection, and response activities.
CISA, as the responsible agency for conducting threat hunting, is also expected to ensure recommended procedures ensuring mission-critical systems are not disrupted by CISA threat hunting. Section 1705 of Public Law 116-283 grants authority to CISA to conduct threat hunting on FCEB networks without prior authorization from agencies, and CISA is now required to report how it is applying this authority.
There are similar directives for the Director of the NSA to recommend actions to improve the detection of cyber incidents specifically within the context of National Security Systems. Currently, the Secretary of Defense, Director of National Intelligence, and the Committee on National Security Systems (CNSS) are set to establish policies and recommendations due 45 days from the when the EO was issued.
One thing worth noting is that this section changes the dynamics and mission of CISA as our “National Blue Team” or “Defender” organization and adds a significant “Red Team” scope to the agency.
With the addition of Red Team activity to CISA departments, we may see a full shift over the coming months and years from a Blue Team to more of a Purple Team. For an explainer on red vs. blue vs. purple, check out this article.
Additionally, given the newly added red-team nature of CISA, there may be some angst amongst agency leaders throughout some of the Department of Defense and Intelligence Community agencies as, frankly, those agencies aren’t used to how they work being “spied on.” Rather, they’re used to doing the spying. Having to take a back seat to let CISA have visibility into their agency IT operations may well create internal conflict at the highest levels of the Federal Government. My hope is that they’ll be able to remain level-headed and work well together, but this is definitely a space to watch in the near future.
7. Improve Investigative and Remediation Capabilities (EO Section 8)
The final section of the EO is a directive to create event log requirements. This particular directive is meant to serve as compliment to Section 7, specifically requiring that every federal agency, upon request, provide log data to the Department of Homeland Security and CISA. It also mandates centralized log collection at the highest security operations center level within each agency.
This section directs OMB to devise a list of requirements for federal agencies to log events and specify other relevant data to be logged or retained for investigative, detection, and response purposes.
Logging within cybersecurity is paramount. Without logs, there may be instances of a cyber intrusion where the attack would go undetected, or if detected, could not be investigated further to attribute the source of the attack, or analyze tools, techniques, or procedures. To some degree, many computers and systems log some information by default, but there are additional utilities and platforms, along with settings in respective operating systems that may be configured to enable more robust logging of information relevant to access or changes to the computer system. Having a thoughtful and robust Monitoring and Event Management practice in place can be extremely helpful here.
The intent of this section is likely to create a standardized requirement based on common Security Information and Event Monitoring or SIEM capabilities. Given the requirement for logs to be centrally collected and stored and to be provided to DHS/CISA upon request, this section of the EO may serve to standardize and improve CISA’s ability to investigate and respond to live threats and intrusions.
Final Thoughts on the Executive Order for Cybersecurity
There are a number of items that have caused and will continue to cause new and more collaborative activity in and around Federal Government agencies. With that said, executive authority only extends so far. The same is true in the private sector. Talking about cybersecurity will not be effective until it results in daily action and changed behavior.
To meaningfully improve the United States’ cybersecurity posture and the cybersecurity of private businesses and critical infrastructure residing in the US, it will require not only executive action, but legislation to enact new laws with relevant technological terminology and inclusion of modern day tools, techniques, procedures, and industry-recognized norms. Once legislation is passed, it will then have to be litigated through the judicial system for the judiciary to interpret those laws with relevant court cases. In short, we are still several years away from significant government-wide and nation-wide improvements, but every step we take now to improve security anywhere is a benefit to government and our society; and this is a great first step.
Originally published October 10 2021, updated May 05 2023
We use cookies to make Beyond20’s website a better place. If you continue browsing, you accept our Terms of Use and Cookie Policy (baked goods not included).Accept
