New Cybersecurity Executive Order: What It Means for the Public Sector

I. Introduction

The first half of 2021 has been one of the most eventful periods in memory for U.S. and Federal cybersecurity. High-profile supply chain attacks starting in late 2020 as well as this year’s broad campaign against Microsoft Exchange Server have kept incident response and recovery teams working around the clock and policymakers on high alert. The recent DarkSide ransomware attack on Colonial Pipeline, allegedly by a well-known adversary known as CARBON SPIDER, only exacerbated the situation — and drives home awareness of threats to critical infrastructure.

In parallel, significant personnel and organizational changes across the Executive Branch have introduced new leadership and new priorities, an initial tranche of which are advanced through this week’s cybersecurity Executive Order (EO). Cybersecurity-focused Congressional committees also have new composition and new leadership. With necessary reforms becoming clearer, we’d like to offer a few perspectives on the next steps to strengthen U.S. and Federal cybersecurity.

II. National Cybersecurity Posture

The new EO mandates a number of steps intended to strengthen security posture at a national level. Ideas like critical incident reporting, the NTSB-style Cyber Safety Review Board, the use of software bills of materials, and nutrition-style labeling for IoT devices have circulated within policy circles for some time, and many are treated in some detail within the recent U.S. Cyberspace Solarium Commission report. While only so much can be achieved by this sort of guidance rather than legislation or regulatory actions, some of the mandates for Federal contractors can spur new best practices adopted by companies serving the commercial and consumer spaces.

It’s encouraging to see within the new EO formal processes and timelines established to evaluate and design criteria for these concepts. Like other policy initiatives, their ability to positively impact U.S. cyber readiness will depend on implementation and funding. But we’re encouraged to see the extent to which agencies will consult with stakeholders, including industry, for feedback. We’ll contribute to these efforts and encourage our customers, and partners with specialized or applied experience in critical sectors, to do the same. 

III. The “.gov”

Above all, the EO adopts successful cybersecurity concepts from the private sector as mandates to secure the “.gov.” This includes a holistic approach to removing barriers to information sharing, developing standardized incident response playbooks, requiring the implementation of proven technologies such as Zero Trust, vulnerability identification and log management, and leveraging threat hunting. Requirements like these, embracing the idea to collect and make better sense of centralized security data — an increasingly important objective for defenders — can indeed pay dividends. We’ll briefly discuss a couple of additional points we think will be most impactful operationally.

First, the EO’s focus on IT modernization is also encouraging. Few initiatives will generate the type of return on investment from a security perspective as ensuring the use of contemporary infrastructure where possible across the U.S. government. The previous administration developed a useful strategy on these issues in 2017, but given the level of legacy systems still in use, Federal IT modernization was shaping up to be a generational struggle. The new EO’s focus on cloud technologies and Zero Trust architecture align with and reinforce the gold standards for modern IT — and hopefully it will significantly speed their adoption. (Our CEO, George Kurtz, testified about the importance of IT modernization and Zero Trust, and related topics, at a Senate hearing this February.)

Second, the requirement for Federal agencies to implement endpoint detection and response (EDR) capabilities can clearly and significantly strengthen Federal cybersecurity outcomes. Though already a central component of cybersecurity programs within industry, Federal adoption has been slowed somewhat by barriers to cloud-based solutions. Agency planners should carefully evaluate providing this type of capability where possible as a shared service across the “.gov,” and consider the use of capabilities that integrate with and enable other core government cybersecurity missions, such as vulnerability management, incident response and security operations center (SOC) as a service. A unified model to these missions will confer a number of advantages, from native standardization across agency users, to reducing cost and complexity, and generating training, management, and other operational efficiencies.

Third, the EO reinforces the need to increase threat hunting across the “.gov.” The industry-leading approach to this mission requires properly instrumenting subject environments, which can be achieved through technologies like EDR. But hunting also requires hiring, training and orchestrating staff for continuous, real-time, 24/7 operations, or leveraging service providers to augment internal teams or perform on agencies’ behalf. Sending in a specialized team to hunt for adversaries for a week or two at a time no longer cuts it. From the defender’s perspective, it’s too infrequent, too noisy, too disorienting and too inefficient — whereas from the adversary’s perspective, laying low for a short period represents a mild inconvenience. Depending on their objective, an adversary may intentionally remain inactive for weeks, months or years after gaining access.

IV. The “.mil”

This week’s EO encourages the U.S. Department of Defense (DoD) to adopt similar programs and capabilities as those mandated for the Federal civilian government. DoD too grapples with a legacy IT problem that is in many ways compounded by the scope of their networks and systems, their geographical dispersion, the criticality of their missions, and the absence of commercial analogues to some of their devices and systems (e.g., increasingly networked weapons platforms).

DoD should continue down the path of leveraging best-in-class commercial technologies and systems wherever possible. This is particularly salient for applications and systems with direct commercial analogues, such as general business systems and collaboration software. The overwhelming majority of enterprise IT security solutions also fall into this category. A useful way to think about DoD cybersecurity is to ask: Does a civilian agency, a major bank or leading tech company have this specific problem? For securing standard endpoints, communications, credentials, and so on, the answer is “yes” — and industry people and solutions can address most of the problems. For securing specialized intelligence, surveillance and reconnaissance (ISR) systems or fighter jets, the answer is “not really” — and this is where DoD military and civilian personnel should apply particular focus.

In keeping with the EO’s direction, the most important cybersecurity issue DoD leadership should explore over the coming months is next-generation enterprise security. This effort should both leverage and defend emerging cloud platforms, and it should implement concepts like Zero Trust architecture and EDR. Although these alone cannot solve DoD cybersecurity, they can integrate with and inform core security tasks and ensure that whatever solution we adopt remains relevant long into the future. 

V. Conclusion

After a challenging start to this year from a cybersecurity perspective, this week’s EO stands to catalyze a number of positive, concrete advancements. Across the country, as well as within the “.gov” and “.mil,” there are some steps we must take to better defend ourselves. With the right application of people, process, and technologies, we can address some persistent issues and help ensure government cybersecurity can outpace emerging threats.

Additional Resources

Related Content