The IT Nerd

Today, President Biden laid out an executive order that proposes to strengthen and promote Innovation in the nation’s cybersecurity efforts. This builds on previous executive orders and I encourage you to give this one a read.

Dr. Marc Manzano, general manager for cybersecurity at SandboxAQ had this comment:

“The Biden administration’s emphasis on requiring software vendors to provide proof of security is a significant step toward strengthening the software supply chain and ensuring greater accountability. This focus on security aligns with the critical need for improved compliance, auditing, observability, and agility in managing modern cybersecurity challenges. With this new EO, I am delighted to see additional efforts to push the current status quo and establish a more regulated framework, as this will ultimately improve IT resilience and safeguard critical systems across industries.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 adds this comment:

“This is a huge, widely varying cybersecurity EO that covers dozens of technologies and initiatives. There is a lot to love in it. Here’s what I like:

• It focuses on software security (although not firmware, strangely), stating that vendors to the US government must prove they are following secure development practices and secure software chain procedures.
• It’s going to add how to secure deploy patches and updates to NIST SP 800-53.
• It promotes strong open-source security practices.
• It is prioritizing investment in PHISHING-RESISTANT MFA.
• It is increasing the focus on threat hunting and threat identification, empowering CISA to do more of it.
• It is creating working groups around supported Endpoint Detection and Response (EDR) products to improve them.
• It is requiring the encryption of civilian space-related commands.
• It is creating new policies for cloud vendors in the FedRAMP program.
• It is increasing the security of Border Gateway Protocol (BGP) and the government’s IP address space (decades overdue).
• Promotes encrypted DNS.
• Requires email to be encrypted.
• Requires end-to-end encryption on email and other messaging apps (this is HUGE!!!).
• Promotes post-quantum cryptography protections.
• Sets aggressive 90-, 180-, and 270-day deadlines for each.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech follows with this comment: 

“I suspect the federal government was already vetting the security of its software in this way to some extent, but this executive order codifies the process and makes the results of that vetting available to everyone. Many of Biden’s efforts to strengthen cybersecurity have been about improving threat intelligence and transparency, and this EO is in line with those efforts.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy concludes with this:

“I am particularly happy to see that cloud providers will be required to publish information to clients on how to operate securely. Too many data breaches have been due to misconfigured data buckets, many times leaving the data stored in those buckets open to anyone with an internet connection and a little bit of knowledge. While it is not certain whether incoming U.S. President Donald Trump’s new administration will uphold the executive order, we can hope that they see the value in this executive order. Software companies should be required to demonstrate the security protections of their software.”

As one of the commenters above said, this is a big deal. My only question is if this will actually get carried out or will it be killed by the incoming Trump administration. Hopefully not.

UPDATE: Christian Geyer, CEO and founder of Actfore adds these comments:

“The US needs to remain at the forefront of AI adoption and innovation because that will significantly strengthen national security. While it’s crucial to recognize the expanding attack surface that AI may bring, we can be optimistic about the incredible potential it holds for enhancing security and efficiency. The main challenge lies in navigating the complexities of government processes, but with the right approach, these challenges can be overcome, ensuring that technology initiatives are both effective and secure. For example, international data transfer laws in the EU are way ahead compared to the US. One thing we need to be cautious about is stepping on the gas too hard to accelerate AI adoption before we have our legislative foundation settled. That could do more harm and be more of a national security threat.

The growing focus on AI integration is a positive sign of progress, but it’s essential to approach this with a clear commitment to cybersecurity and robust legislative protections. With careful planning and due diligence, we can ensure that AI adoption is not only rapid but also responsible, safeguarding against vulnerabilities and data risks for US-based companies and the government. Although the pace of technological advancement may sometimes outstrip current legislation, this presents an opportunity for the US to strengthen its regulatory frameworks and stay ahead of potential threats.

These executive orders signal a forward-thinking, proactive strategy for incorporating AI into national security. The focus must remain on integrating AI securely, with ongoing vigilance and the development of strong safeguards. The long-term success of these initiatives will depend on the ability of future policymakers to adapt swiftly to technological changes and prioritize both implementation and legal protections for the American people and their sensitive data. It will be very interesting to see what the incoming administration does with these executive orders from President Biden.”

UPDATE #2: Saviynt Chief Trust Officer, Jim Routh provided this comment:

“Today’s Executive Order on Cybersecurity provides additive guidance to the previous Executive Order primarily for federal agencies, those that provide product & services to federal agencies, and also includes guidance for the private sector. There is greater emphasis on resilience in cloud computing, which is timely as enterprises in the federal sector and private sector dedicate more resources to the consumption of SaaS and PaaS. Digital identity management is also a dominant theme in the Order with a clear direction toward the maturity of interoperability standards for easier management of digital identities with less dependence on storing credentials. This is more of a 10-year view on the maturity of digital identity standards but important nonetheless. 

“Third-party risk management is another dominant theme in the Order and appropriately so. My blunt assessment is that existing third-party risk management functions are woefully insufficient to meet today’s needs for all types of enterprises. Conventional third-party risk management (TPRM) practices evolved from the creation of an annual cyber security risk assessment originating from a response to a security questionnaire updated annually for high risk vendors. Regulatory requirements and compliance activities promote the continued use of this obsolete framework. 

The right approach for TPRM is to conduct vendor risk assessments daily through the aggregation of data derived from near real time sources/feeds across multiple domains such as:

1.      cyber resilience

2.      financial resilience

3.      geographic/political risk

4.      extreme weather events

5.      supply chain disruption

6.      environmental sustainability

7.      legal liability

Limited resources dedicated to TPRM can and should focus on the highest risk third parties on any particular day based on real data vs. self-attestations produced annually. Managing third-party risk should include the establishment of digital identities for third parties requiring access to cloud and on prem systems essential to perform their function reducing the risk of credentials being harvested and used maliciously. 

Another threat vector covered in the Order is the increased threat of a ransomware attack. Ransomware as a service has increased the probability of extortion through the exfiltration and dissemination of sensitive data. Nation state sponsored threat actors are using this attack vector to fund third-party resources to perform cyber espionage. Sanctions have been used as a tool to combat the spread of ransomware, but the results are mixed. Authoritative regimes continue to proliferate the use of extortion for funding purposes of other cyber-criminal activity.  Enterprises are forced to make extortion payments when existing recovery methods fail to restore core business functions in a timely manner. 

How impactful the Order will be remains to be seen in addition to its shelf life as an Executive Order given the new administration taking over the Executive Branch. The role of CISA will likely evolve as will the security requirements for federal agencies. The private sector will continue to be prodded toward a more effective model of building resilience into the delivery of IT products and services for all enterprises and consumers in addition to federal agencies.” 

UPDATE #3: Jonathan Gill, CEO at Panaseer provided me with this comment:

“It’s great to see such a detailed executive order relating to cybersecurity. This reflects the importance of cybersecurity at the highest levels – it is an issue of national security and should be treated as such. One of the big themes coming out of the order is the need to implement the right controls, and being able to provide evidence. Section two really underscores the need for secure software development. If it is followed through, software publishers will need to open their kimonos to show they have the right controls in place and that these are working effectively. It is also interesting to see in section seven that NIST will be issuing guidance on “minimum cybersecurity practices”, considering common cybersecurity practices and security controls.”

“Moving forward, we can expect to see even greater emphasis not just on encouraging companies to implement controls, but on providing evidence of such. However, many companies will struggle here. IT infrastructures and ecosystems have become incredibly complex. Most large organizations do not even have visibility of what assets they have, let alone the status of their security controls across those assets. This isn’t due to a lack of effort or care from cybersecurity professionals. The challenge lies in the fact that most large organizations rely on 50+ cybersecurity tools to protect their fast-moving IT environments. These tools operate in silos, disconnected from one another and informed by incomplete configuration management databases (CMDB). As we move into an era of ‘trust, but verify’, organizations will be under increasing pressure not only to outline what controls they have, but to demonstrate their effectiveness. Most large organizations already possess the data they need to understand their assets, controls coverage, and controls effectiveness, but it’s scattered and inaccessible. This data must be transformed into actionable, trusted intel, enabling security leaders to identify gaps, enforce accountability, and ensure stakeholders meet agreed-upon standards of controls.”