Summary Analysis: Executive Order on Improving the Nation's cybersecurity (May 12, 2021)

Prepared: May 13th, 2021 & Published May 17th, 2021

Below is my personal analysis of the executive summary.

On May 12th, President Biden signed an EO that addresses improvements to our nation’s cybersecurity. In my report, I highlight areas of interest and summarize each section while providing my insights on this EO.

Note: I encourage discussion via messaging below or sending me a DM.

This EO was a reactionary response by the federal government following several cyberattacks in the last year targeting different industries. Here are some examples of the most recent attacks.

February 2021, a cyberattack impacted the industrial systems “SCADA” of the Florida water treatment plant, where the attacker used remote access to the system to change the level of sodium hydroxide.
December 2020, we had the most significant supply chain attack to date called SolarWinds, impacting approximately 18,000 of their 300,000 customers operating vulnerable versions of the SolarWinds Orion platform.
September 2020, our healthcare infrastructure was hit with ransomware that impacted over 400 locations of Universal Healthcare Services.

The Colonial Pipelines was an unfortunate event, and in a way, it’s the proverbial straw that broke the camel’s back, the camel being congress. For years, cybersecurity professionals have been pressing Congress for refined cyber laws and policies to support the emerging threatscape.

Recently, we witnessed one of the most catastrophic attacks on our fuel supplies, causing mayhem on the East Coast. This cyberattack has shaken our nation to the core, and finally, action!

This EO is a start and a significant first step by our President, but we cannot stop here, we need bolder actions.

Below I summarize and provide my analysis for Sec. 1-9.

Sec. 1. Policy

This section comes in reasonably strong. It addresses the need for bold and deliberate changes and investments to address our cyber laws and policies to protect the American way of life. It also talks about the need for public and private partnerships and their critical necessity for successfully defending our nation’s cyber borders. However, I did not see a lot of bold action within this EO, but instead, necessary actions that are long overdue.

We still need bold actions taken on cyber law and policies. Today, much of our cyber regulatory measures originate from an Act of 1984 called the Computer Fraud and Abuse Act of 1984 (CFAA). The CFAA covers general crimes such as malicious damage to federal computer systems of more than $1,000, trafficking of computer passwords, and modification of medical records. CFAA received its first amendment in 1994 when congress recognized the face of computer security had drastically changed since 1984; this amendment was called the Computer Abuse Amendment Acts.

Our cyber policy and law to this point have been reactionary. An example is when the first significant data breach happened to Yahoo in 2016 when hackers had stolen approximately 500 million accounts dating back to 2014. This breach sparked the need for data protection, and next came the Consumer Privacy Protection Act of 2017.

Sec. 2. Removing Barriers to Sharing Threat Information

This section does a decent job of addressing the need for a formalized process on data sharing between agencies and organizations. It provides guidance in removing sharing restrictions.

Data within cybersecurity is siloed between the private and public sectors. Then inside each individual government organization, data is siloed more depending on the agency. This section addresses those concerns and places the Director of the Office of Management and Budget (OMB) in a position to work with other departments and agencies to review and revise the Federal Acquisition Regulation (FAR).

This section also provides guidance for standard cross-agency contracts and reporting of an incident with a minimum of 3 days once first identified which I believe is a hefty ask.

Sec. 3. Modernizing Federal Government Cybersecurity

This section summarizes the modernization of systems with best practice, Zero Trust Architecture, migration to Cloud Environment, Multi-Factor Authentication requirements, and increased Encryption protocols.

Trying to Multi-Factor everything is going to be another heavy lift for the federal government who already has large contracts in place. This will take a lot longer than the time proposed within this section.

As cyber professionals, we have witnessed the impacts of utilizing a legacy cybersecurity platform. With the dynamic and rapidly changing threatscape and lack of governance in cybersecurity modernization, the Federal Government cannot keep up with even the most basic security practices. An example of this that I am familiar with and so are most DoD employees is the continued use of Internet Explorer as the primary browser.

Many years ago, when I had a DoD computer, I remember it was an act of congress to have Chrome, or Firefox added to your machine. As cyber professionals, we know how vulnerable Internet Explorer is, yet it’s still allowed on DoD machines and often used as the primary browser. Why?

Overall, Sec. 3 addresses the need for adopting and modernizing our federal security practices. This includes the advancements to moving on-prem infrastructure into a cloud environment, and what I love, the plan to “centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.”

Sec 4: Enhancing Software Supply Chain Security

This section has 24 subsections. It focuses on NIST: supply chain security, interagency communication, “critical software,” and requesting more transparency with commercial software to provide more rigorous testing of systems before adding them to the federal network.

The partnerships for this action will be between the Secretary of Commerce acting through the Director of National Institution of Standards and Technology (NIST) while soliciting input from academia, private sector, Federal Government, other compliance standards, frameworks, and other subsections within this EO.

Note: NIST is holding a workshop and is has a call for positions papers for Standards and Guidelines for Enhancing Software supply Chain Security in support of this EO, Submission due no later than May 26th, Link

Therefore, in the next 180 days, we “should” have a preliminary guideline for improving supply chain security. This will be published through the Director of NIST while providing updated security guidelines for safeguarding our software supply chain.

Subsection (e) provides a fairly comprehensive criteria list for the security guidelines.

Subsection (g) draws in other agencies such as NSA, DHS, CIA, OMB, and National Intelligence to define the term “critical software” for the guidance of the aforementioned subsection (e).

Subsection (n) places a 1-year timeline for software suppliers to comply with the above requirements and guidelines. This is considered part of the “pilot program,” and the year review will be conducted in a manner consistent with OMB Circular A-119 and NIST Special Publication 2000-02 (Conformity Assessment Consideration for Federal Agencies).

Sec 5: Establishing a Cyber Safety Review Board

This might be one of my favorite sections of this EO so far. Sec 5. outlines the establishment of the new safety board called “Cyber Safety Review Board, which is according to section 871 of the Homeland Security Act of 2002 (6 U.S.C.451). It also explains the overall makeup of the board and that it will have a two-year life cycle directed by the President.

This joint board will bring together key leaders from both public and private sectors to a central point to evaluate and assess cyberattacks.

Should an attack occur, this board will convene then establish a Cyber Unified Coordination Group (UCG), a committee established in December 2020. The UCG may convene at the Secretary of Homeland Security need or by the President acting through the APNSA.

Sec 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

This section is about standardization for Incident Response across all agencies. CISA is the reviewer and validator of Federal Civilian Executive Brand (FCEB) incident response and remediation results.

As cybersecurity leaders, we know there is no standard operating procedure for responding to, remediating, or recovering from a cyber attack. This section addresses these concerns while leveraging the help from the Secretary of Homeland Security acting through the Directo of CISA with consultation with the Director of OMG, the Federal Chief Information Officers Council, and the Federal Chief Information Security Council. There will also be coordination through the Secretary of Defense acting through the Director of the NSA.

The Attorney General and the Director of National Intelligence must develop a standard or a playbook that guides planning for conducting vulnerability assessments and incident responses. This playbook must have NIST standards used by FCEB Agencies and steps needed during and after an incident response.

I would start looking for something in the next 120 days (unless extension requested) for a standardized playbook on incident responses.

Sec 7: Improving Detection of Cybersecurity Vulnerability and Incidents on Federal Government Networks

This section highlights the need for Endpoint Detection and Response (EDR) for FCEB. There is a 45-day window for the Director of NSA to provide recommendations to the Secretary of Defense on the best approach for EDR report to be done by agencies or through a centralized service.

Interesting to note. On February 5th, 2021, CISA issued a revised version to the Binding Operational Directive 20-01 (original publication date of September 2nd, 2020), which required “FCEB agencies to develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services, and maintain processes to support their VDP.”

If you review this document, you will see that much of the data in Sec. 7. was within the BOD 20-01. Likely what will happen is the BOD 20-01 will be refined and utilized to address the EDR needs.

Sec 8: Improving the Federal Government’s Investigative and Remediation Capabilities

This section is short and brief, addressing the need for log retention and data collection to address cyber incidents on FCEB Information Systems. This describes the need for integrity protection and access to data by other agencies on a needed basis.

Sec 9: National Security Systems

This section addresses the National Security System requirement that will support or exceed the criteria outlined in this executive order.

My Final Thoughts

I believe this EO is a decent first step to hardening our infrastructures and mitigating cyberattacks. Communication, data, actionable intel is vital in this field. I desire to see more joint data-sharing platforms similar to ISAC.

Nevertheless, this Executive Order is reactionary and a response to the most recent cyber attack. I am thankful that actions were finally taken; however, I encourage our government leaders and other industry leaders to become proactive with refining policies and security frameworks. Let’s stop waiting on the government to dictate the changes, let’s address them ourselves and work together in implementing the changes.

The threat actor which targeted the Colonial Pipelines (DarkSide) is not a nation-state threat group. They are not governed or confined to a country’s laws and regulations. Groups like DarkSide are becoming more prevalent because it’s nearly impossible to impose country laws and enforce consequences on their actions. This allows eCriminals to execute large-scale cyberattacks without major repercussions.