President Biden’s latest executive order for the country’s cybersecurity and the protection of federal government networks is a much-needed step to bring the US on par with peer countries.
The order takes into consideration how significant the private sector’s cooperation for heightened security is, the importance of diverse, collaborative talent, and establishes various new federal roles, boards, and procedures that all – federal or not – will need to adhere to.
US cyber strategy scope and methodology
The executive order is separated into distinct sections setting out the scope and areas of focus and intent.
Section 1. Policy
In a bold statement, this section emphasizes the attacks encountered and continued risks the US is exposed to. The Policy focuses on the need for the private sector’s cooperation and efforts for the Federal Government’s systems and the “American people’s security and privacy.”
The Policy also highlights the need for complete cybersecurity in all its guises:
- Implementing better proactive strategies, including identifying, deterring, protecting against and responding to malicious attackers.
- Ensuring that no system is compromised, whether cloud, on-premise, hybrid, a system to process data or the machinery to ensure safety.
All corners and minutiae are to be brought forward and included.
Section 2. Removing barriers to sharing threat information
Due to contractual obligations and data privacy, IT services working with the Federal Government have historically been reluctant or unable to share information around potential breaches and security threats they’ve experienced. Removing this barrier will enable more knowledge to be shared and for cybersecurity, on the whole, to be more effective.
Section 3. Modernizing federal government cybersecurity
While not new to the private sector, this section addresses the need for modernizing security best practices. It will look to employ more secure cloud services, “zero-trust architecture,” and multi-factor authentication and encryption implementation as standard within government infrastructure.
Section 4. Enhancing software supply chain security
Clearly, this section responds to the serious SolarWinds attack earlier in the year and to the numerous other supply chain attacks that large corporations and government agencies have also experienced lately.
The goal is that by establishing baseline security standards for government suppliers and creating an “energy star” pilot program that’ll clearly indicate a software’s security policy, that the market will be driven to heighten its basic security standards. Starting within the federal government, the aim is to eventually mirror this high standard within the private sector.
Section 5. Establishing a cyber safety review board
The Cyber Safety Review Board will be made up of both government and private sector members, with the sole aim to adequately review, analyze and make recommendations post-breach or attack.
Section 6. Creating a standard playbook for cyber incidents
The playbook will have standardized procedures and definitions for government agencies and departments to use. As a result, uniform and vetted steps will be taken to identify and mitigate threats, as knowledge within departments regarding cyber incidents varies too widely, resulting in diverse and often inadequate responses.
Section 7. Improving cybersecurity vulnerability detection
A section that isn’t new for the private sector focuses on the proactive detection of vulnerabilities. It emphasizes the use of government-wide endpoint detection and greater interdepartmental information sharing.
Section 8. Improving investigation and remediation
In a nutshell, this section refers to better logging practices to enable more efficient and productive post-attack investigation.
The roles and responsibilities for the 2021 US cyber strategy
What will the National Cybersecurity Director do?
The Government Accountability Office (GAO) identified 23 different federal agencies with roles and responsibilities in cybersecurity. The latest executive order has created the National Cybersecurity Director (NCD) position to coordinate its efforts for the 2021 cyber strategy.
Chris Inglis has been appointed as NCD, with his responsibilities outlined as:
- Senior advisor to the president
- Advisor to the White House and US government agencies, including the National Security Council (NSC), Homeland Security and other federal agencies and departments
- Leads cyber policy and strategy implementation: overseeing performance and budgets and recommending changes
- Develops plans, processes and a playbook for cyberattacks
- Leads coordinated incident responses
- Engages with the private sector and international partners on emerging technology
- Annually reports to Congress on cybersecurity issues
- Issues rules and regulations as necessary to fulfil function and duties – this is a rare authority in the White House offices
- Represents the president where required and on the president’s direction
Other departments critical to the US Cyber Strategy
During the 2016 Obama administration, various government departments were appointed roles towards the country’s cybersecurity efforts as part of the United States Cyber Incident Coordination. These will feed into the 2021 US Cyber strategy, with the NCD overseeing them all.
Department of Homeland Security (DHS)
The Cybersecurity and Infrastructure Security Agency (CISA) was created as the primary component with the DHS to manage cybersecurity. CISA’s primary focus is on the nation’s critical infrastructure, including the power grid, water systems, and hospitals. However, in light of federal cyberattacks, CISA’s multi-billion-dollar EINSTEIN security system has been criticized for not detecting intrusion early enough to prevent serious breaches. It remains a bone of contention.
Office of Management and Budget (OMB)
The OMB approves and enforces the security requirements on federal agencies and oversees the interagency cooperation between the DHS and civilian agencies regarding cybersecurity. It also promotes initiatives and develops guidance to strengthen federal programs.
Department of Justice (DoJ)
The DoJ holds cybercriminals accountable for their malicious actions and brings charges against hackers associated with nation-states. Recent indictments have been against Russian intelligence offices and North Korean hackers involved in multiple serious cyberattacks, which saw targets in the 2018 Winter Olympics and the theft of millions of dollars of cryptocurrency, amongst other events.
Department of Commerce (DoC)
The DoC is responsible for ensuring that the US is competitive in cybersecurity, with the National Institute of Standards and Technology at the center. NIST develops cybersecurity standards, best practices, and technology to protect both federal government and private sector networks.
What happens next?
While we are only at the start of overdue fundamental change, it’s a big step in the right direction for the US. Since the executive order was signed and announced, the White House has urged private businesses to step up their cybersecurity to become a collective and whole effort, but what should this be?
A few sections and initiatives within the executive order for the federal government’s modernization are already known to the private sector. However, if your business hasn’t yet implemented critical cybersecurity measures, such as endpoint detection, multi-factor authentication, and a cyber incident response plan, these must be implemented immediately.
To reiterate a significant point coming from the federal government, no one can do this alone. It is affecting everyone. Therefore, a collective and collaborative effort is necessary for the best chance against increasingly advanced malware strategies used by hackers.
NIST and other government and industry bodies have yet to assess, scrutinize, and refine the plan; however, President Joe Biden’s statement, making cybersecurity a priority, shows the urgency of this issue and demonstrates Biden’s commitment to it.