President Biden's promised Executive Order on cybersecurity came out as millions of Americans on the East Coast could not find gas for their cars.
The gas shortage was fallout from the Colonial Pipeline ransomware attack and subsequent shutdown, and the White House put that front and center in its remarks on the Executive Order:
"It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses. However, the Colonial Pipeline incident is a reminder that federal action alone is not enough.
Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments.
We encourage private sector companies to follow the Federal government's lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents."
So what does the president's cybersecurity Executive Order (EO) focus in on? Here are the top themes that stood out as we looked through it.
As U.S. public and private sector organizations face increasingly sophisticated cyber threats, the need to communicate clearly and effectively has never been more important.
One goal of the EO is to ensure that organizations can share information with the government, and will require them to share some breach information.
"IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches.
Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation's cybersecurity as a whole."
It is no secret the U.S. government has not been at the top of its game when it comes to cybersecurity. With recent incidents such as SolarWinds, Microsoft Exchange, and Colonial Pipeline, it is clear the government and organizations needs to do something to improve their cyber policies.
Here is how the EO says it will do so:
"Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption."
A well-known problem with the security of software is that a portion of software is shipped with significant vulnerabilities. This can happen for a variety of reasons, but the government believes it is time to address this issue.
"The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market. Finally, it creates a pilot program to create an 'energy star' type of label so the government—and the public at large—can quickly determine whether software was developed securely."
The U.S. government plans to use its purchasing power to drive manufacturers to build security into all software from the ground up.
A national cybersecurity board would prove very helpful for organizations that have to deal with the ramifications of a cyberattack.
Co-chaired by government and private sector leads, it will be able to analyze the situation and make concrete recommendations for improving cybersecurity.
"Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents."
This very idea will be discussed at the SecureWorld Gov-Ed virtual conference on June 10, 2021.
Every day, organizations around the world are hit with cyberattacks, and many of them don't have the proper resources to respond appropriately.
Can you imagine how helpful a standardized playbook and set of definitions for incident response would be?
That is what the EO claims it will accomplish.
"Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely.
The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts."
For all the information on the White House's plan to improve the nation's cybersecurity protocols, you can read the full Executive Order here.