President Biden just released an Executive Order (EO) on improving the nation’s cybersecurity to galvanize public and private efforts to help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns. Specific measures in the EO reflect lessons learned from recent crises, such as the recent cyber espionage campaigns.
In our view, the EO signals two things.
It calls for making federal government systems stronger and safer so they’re harder to break into. It pushes specific actions to modernize cybersecurity in the federal government, such as zero trust architecture. And it uses the $70 billion information technology (IT) purchasing power of the federal government to impel the market to build security into all software from the ground up.
It sets a goal for more effective and agile federal government responses. It requires IT providers to report cyber incidents and removes contractual barriers for them to share information with government entities. The EO also standardizes the playbook for different agencies to respond together to incidents.
This is a matter of national security and trust. The EO says “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
This EO is just the first step for dealing with nation-state supply chain attacks. Sean Joyce, PwC’s Global & US Cybersecurity, Privacy & Forensics leader, had raised the urgency of more holistic action: The United States needs a more organized approach to cyberthreats. Already, the government and industry have lagged in updating our laws, our regulations, corporate responsibilities and adjusting to a digital, boundary-free world.
Who is affected?
Federal executive agencies are expected to modernize their technology environment and security practices.
Federal contractors, including commercial-off-the-shelf (COTS) software providers, will likely see new cybersecurity standards built into contract terms. They will be required to share more information on cyber incidents.
The private sector will likely see a focus on software supply chain security, as well as on transparency through proposed consumer security labeling on software and internet of things (IoT) devices. As a result, software and IoT device companies should expect new security requirements and assessment standards.
The Biden administration EO outlines an array of cybersecurity objectives the government must meet, and there’s a short timeline to do so. As with former President Obama’s EO nine years ago, we anticipate a cascading impact, first to federal contractors and then rippling through other industries, as new standards are set and practices are adopted.
We now turn to the implications of the EO for the most directly affected: the providers of IT services to the federal government.
The EO directs the removal of any contractual barriers and requires IT service providers to share breach information that could impact government networks. The aim is to enable more effective defenses of federal departments and to improve the nation’s cybersecurity as a whole.
Short of national data breach legislation, this EO likely goes as far as it can to mandate cyber incident reporting.
Traditionally, only defense contractors have had specific requirements regarding breach reporting (DFARS 252.204.7012 clause). This EO will extend the requirement to all Federal Acquisition Regulation (FAR) contracts. As a result, contractors will need to understand the contract requirements and the ability of their underlying data governance frameworks to classify, manage and protect sensitive data (i.e., controlled unclassified information [CUI].)
In addition, contractors will be expected to collect and share information related to threats, vulnerabilities and incidents collected to share relevant information with CISA, FBI, and other agencies and boards for investigation.
The EO improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection-and-response system and improving information sharing within the federal government.
The intent is to provide greater details to proactively identify threats, as well as having appropriate information to investigate and respond to incidents.
Proactive threat hunting leads to cyber risk reduction. The ability to actively search endpoints and identify sophisticated threats requires advanced tools, technology and people.
The EO creates cybersecurity event log requirements for federal departments and agencies.
IT service providers will be required to collect and maintain information from network and system logs on federal information systems (for both on-premise systems and connections hosted by third parties, such as cloud service providers), and to provide them to the government when necessary to address a cyber incident.
The EO establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads. The board may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
This is expected to operate similarly to the National Transportation Safety Board’s (NTSB’s) investigations into major transportation incidents, and it will include participation from the private sector. The details concerning what incidents this review board will participate in have not yet been determined.
The EO calls for a standard set of operating procedures (playbook) and a set of definitions for cyber incident response by federal departments and agencies. The playbook will help ensure that all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
Standardized playbooks used by government agencies will likely speed up the response and investigative process. Currently, the cybersecurity vulnerability and incident response procedures vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies. Standardized response processes could lead to centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
Great resolve and good ideas in executive orders need to be translated into rules and standards. What are the important milestones?