Putting the Cybersecurity Executive Order Vision Into ActionAugust 24, 2021 No Comments
By Dean Coclin, Senior Director Business Development at DigiCert
Ransomware attacks have been all over the headlines in recent weeks, putting a new spotlight on the need for cybersecurity. Shortly after a ransomware attack disabled a major fuel pipeline supporting the East Coast, President Biden signed an executive order focused on improving the nation’s cybersecurity.
The new EO is targeted at Federal departments and agencies, and federal contractors, but its impact is expected to reach far and wide across critical infrastructure sectors and the technology companies that support them. In fact, the order encourages businesses to follow the Federal government’s lead to build up their cybersecurity investments and better protect their organizations.
Here are some of the highlights of the new directive, and what they mean for any organization that is interested in keeping their users and data safe—in other words, most everyone.
Toward tougher, modernized cybersecurity
A major pillar in the new EO calls for modernizing and implementing stronger cybersecurity standards. Its aim is to help the Federal government move to more secure cloud services and a zero-trust architecture. The order also mandates deployment of multifactor authentication, as well as encryption with a specific time period.
Obviously, encryption is one aspect of the EO where PKI solutions can definitely help ensure the high level of trust required. It’s proven, flexible, and widely adopted across many different industries and use cases. It’s great for securing not only websites but networks, email, devices, documents, and even individual users. IT and security are comfortable with PKI because it lets them issue and manage encryption and authentication certificates in the cloud, on-prem, or hybrid environments.
PKI can also contribute to supporting the zero-trust architecture. Zero trust is based on the mantra, “never trust, always verify.” It centers around the idea that no organization should ever automatically trust devices or users based only on their physical or network location—or who owns the device. Whether it’s an IoT device like a healthcare IV pump, or a remote employee logging into the company network, every connection needs to be verified.
For example, in a healthcare environment, caregivers need to be sure they can trust all the IoT devices that are connecting to their environments, as well as the online services and apps they need to serve patients. PKI can help establish the identity of these essential IoT devices, assuming the provider has a proper, valid certificate in place. It can also help organizations protect sensitive healthcare data through encryption, whether the data is in transit or at rest. Although PKI cover every single aspect of a zero-trust environment, it does provide a strong foundation for the authentication and trust that’s required.
Strengthening software security
The new EO also provided some strong direction to improve the security of software, and the supply chain itself. It sets up baseline security standards for development of software sold to the government, including requirements for improved visibility into software, and making security data publicly available. This part of the order recognizes that too much software is shipped with vulnerabilities that bad actors can exploit.
Securing software isn’t easy in fast-paced DevOps-driven organizations. Most workflows are all about maintaining continual development and pushing deliverables out, rather than security by design. Fortunately, when implemented the right way, best practices like code signing can help companies bake security into each stage of the development process. Applying digital signatures lets organizations take control of development and confirm the integrity of code before it moves further along in the development cycle, and out to production environments and customers.
But what about organizations using open-source libraries where the integrity of code is more difficult to track? To get comprehensive visibility into the security of code, it is becoming increasingly important to establish a software bill of materials (SWBOM). A complete list of the all the components that make up a software application, including version numbers, software patches and upgrades, and any open-source elements, can enable developers and manufacturers to apply security to meet today’s DevOps and IoT challenges.
An SWBOM can strengthen not only software development processes, but the entire manufacturing supply chain. Today, many chips embedded in devices come with software baked on, and manufacturers may have no idea where it comes from. As devices and components become more sophisticated, tracking the myriad bits of code that can wind up inside a device is becoming extremely difficult. The new EO encourages developers and manufacturers in the IoT space to gain deeper insight into what’s on their devices. If a breach or software issue should occur, an SWBOM can improve their ability to determine whether the code in question has been deployed to customer environments—and provide the first steps toward a remediation strategy.
Establishing a Cybersecurity Safety Review Board
Another strong recommendation of the EO is the establishment of a Cybersecurity Safety Review Board composed of private sector and government leaders. Like the National Transportation Safety Board, this team would assemble after a major incident to analyze what happened and make recommendations for improving cybersecurity.
This review board is an excellent example of how the Federal government can partner with industry leaders to drive positive change. All too often, individual organizations will fail to fully investigate cybersecurity incidents. Instead of taking stock of what lessons they’ve learned, they may move on too quickly, and wind up repeating the same mistakes. The EO not only sets up a deeper investigation of major incidents, but also encourages the kind of information sharing that industries need to understand and respond to new threats faster—and minimize the damage they can cause.
People rarely agree on anything in Washington, but the new cybersecurity EO demonstrates that there’s plenty of common ground when it comes to protecting people, devices, and networks from malicious cyber attacks. At DigiCert, we’ll continue to drive innovation to help our customers ensure that their data and operations remain trusted, safe, and secure.
Dean Coclin, Senior Director Business Development at DigiCert