In response to recent cybersecurity incidences like the SolarWinds breach, Microsoft Exchange Server vulnerabilities, and the Colonial Pipeline ransomware attack, President Biden signed an executive order to increase the cybersecurity stance of the federal government and all civilian agencies it contracts with.
The 34-page executive order implements minimum security standards for the government and contractors. For example, it requires federal agencies to adopt multi-factor authentication (MFA) and a Zero-Trust architecture within the year. A Zero-Trust environment builds on the principal that each service, system, and workflow will have its own security measures to prevent unauthorized access. Some companies already use some form of MFA but its adoption is far from ubiquitous. Meanwhile, Zero-Trust architectures haven’t been fully implemented in most environments. Because of the lack of support for Zero-Trust, implementing a true Zero-Trust architecture may become a difficult task. We hope the difficulties of implementing Zero-Trust doesn’t hold back the use of MFA within these agencies. These steps in the executive order, if properly implemented, should significantly increase the federal government’s security.
Part of the order requires IT providers working with the government to notify the government of security breaches involving their own system or systems they use. Now, if only we could require all companies to notify customers of a breach involving their data. GDPR in Europe does this but the US has yet to implement similar standards on a federal level.
The order also implements a cybersecurity review board and a standard playbook for incidents response across federal agencies. Any good security policy involves a review board to ensure proper implementation of the policies. Additionally, the order rolls out a certification program for software to meet minimum-security standards. The White House compares it to an Energy Start rating for appliance power consumption.
One cybersecurity measure missed in the executive order is to implement and test backups to all critical systems. Good security policies accept some risk and mitigate it with the use of backups in case a critical system becomes compromised. For example, according to some reports the Colonial Pipeline paid the ransom after a ransomware attack this last week. If they had backups for their systems, they could have avoided paying the $5 million ransom.
Much of this executive order implements security measures we would implement ourselves in an organization. We would have liked to see this happen long ago but at least we are starting now.