At a glance.
- The UK's Active Cyber Defence initiative.
- US Executive Order on Improving the Nation's Cybersecurity is out.
- Update on pending Congressional cybersecurity bills.
- Cyberspace as an operational domain.
- UK calls for international cooperation on cybersecurity.
The UK’s Active Cyber Defence initiative.
SecurityWeek describes Britain’s National Cyber Security Centre (NCSC) Active Cyber Defense (ACD) initiative. According to the body’s annual report, ACD aims to “Protect the majority of people in the UK from the majority of the harm caused by the majority of the cyberattacks the majority of the time.” The program principally benefits Government clients, but is looking into private sector and international expansions.
ACD’s toolkit includes the following services: Takedown, Web Check, Protective DNS, Dangling DNS, Mail Check, Suspicious Email Reporting, Host Based, NCSC Observatory, Cyber Threat Intelligence Adaptor, and Exercise in a Box. In 2020, the program addressed over 700 thousand malicious campaigns, including forty-three unsanctioned copies of the NHS Test and Trace app and nearly 30 thousand pandemic-themed initiatives. Since 2016, the UK’s cut of worldwide phishing campaigns has dropped from five percent to below two percent.
In addition to blocking active campaigns, the ACD collects and analyzes datasets to help the NCSC stay one step ahead of emerging threats.
US Executive Order on cybersecurity sets out ambitious goals for both government and the private sector.
President Biden yesterday evening signed the long-anticipated Executive Order on Improving the Nation's Cybersecurity. "It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security," and the President says he expects the Federal Government to lead by example. The Order calls for "bold changes" and "significant investments" to protect and secure its computer systems. "The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT))." It formalizes the responsibilities the Cybersecurity and Infrastructure Security Agency (CISA) has for functional oversight of Federal Civilian Executive Branch (FCEB) Agencies, but it also prescribes important roles for the FBI and Defense agencies (notably the National Security Agency).
The principal goals of the Executive Order may be summarized as follows:
- Remove barriers to information sharing that have been contractually imposed on Federal IT contractors.
- Modernize the Government's approach to cybersecurity, simultaneously "increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties."
- Enhance software supply chain security. The National Institute of Standards and Technology (NIST) will take the lead in developing standards for supply chain security, including criteria for secure development environments, software bills of materials, and software provenance, among other measures. These will directly affect industry, especially those companies who produce "critical software," a category that the Executive Order tasks NIST, in consultation with CISA, with defining. Eventually this section of the Executive Order will extend as far as consumer software, which will, among other things, be labelled for safety and security.
- A Cyber Safety Review Board will be established by the Secretary of Homeland Security, and it will be convened in response to major cyber incidents, that is, incidents that trigger the establishment of a Cyber Unified Coordination Group. The Board will play a role in cybersecurity analogous to that played by the National Transportation Safety Board in response to, for example, lethal airline accidents.
- Establish standardized incident response processes for the Federal Government.
- Improve detection of both vulnerabilities and incidents on Federal networks. (This will require, the Executive Order notes, close coordination between the Departments of Defense and Homeland Security.)
- Improve Federal investigation and remediation capabilities. CISA and the FBI will play central roles in this.
- And, finally, the Department of Defense is charged with doing at least all of this for the networks and systems it oversees: "the Secretary of Defense acting through the National Manager, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems."
The Executive Order emphasizes throughout the importance of a zero-trust approach to cybersecurity.
We've received a number of comments from industry experts on the Executive Order.
Nikesh Arora, chairman and CEO, Palo Alto Networks, emailed us comments on the Executive Order. He particularly approves of the attention paid to zero trust:
"We applaud today’s executive order to strengthen our national cyber defense. The EO prioritizes the critical areas of securely modernizing Federal IT, strengthening software supply chain security and fostering Zero Trust adoption. Palo Alto Networks will continue to work with the U.S. government to transition these policies into actionable outcomes.”
Rick Tracy, CSO of Telos Corporation, particularly approves of the emphasis on easing information sharing:
"The White House is to be commended for issuing an extensive executive order that acknowledges the severity and scope of the cybersecurity challenges facing the public and private sectors, the American people and our economy. It is encouraging by the initial read of its overall thrust. I especially applaud the direction for federal departments and agencies to, as much of the private sector has already done, move more rapidly to adopt secure cloud services, the requirement for them to adopt multifactor authentication and the push for increased use in government of such practices as zero trust architecture. These are solid steps to improve federal cybersecurity, as is the order's objective of establishing a government-wide endpoint detection and response system. The order’s requirement that IT providers must now share breach information which could impact government networks is long overdue, as this information is too vital to protecting federal systems for such sharing to be voluntary.
"While this executive order focuses primarily on federal cybersecurity, the White House announcement does note the importance to the nation of critical infrastructure security, and the growing number of cyber incidents affecting these largely private enterprises. Hopefully further government actions will be taken to at least create incentives for or otherwise encourage these private companies to adopt the NIST Cybersecurity Framework and take other strong actions to better secure their networks and systems."
Charles Herring, CTO and Co-Founder of WitFoo, notes the "aggressive" timeline the Executive Order prescribes:
"The Biden administration’s cybersecurity executive order is wide ranging and carries an aggressive timeline to make overdue safeguards a pressing priority. The mandate for immediate deployment of multi-factor authentication, EDR and log retention technologies across all Federal agencies are critical enhancements needed to modernize and harden government infrastructure. These technologies also provide essential visibility into a very wide surface area across the Executive branch that will enable investigators to effectively track down and respond to emerging attacks.
"Section 2 of the order points to problems with the manner in which service providers charge the government for sharing threat and incident information. OMB is instructed to create new contract language within 60 days to require providers to collect and preserve threat and incident data and to make it available to the Federal government while removing restrictive “contract terms or restrictions” that “may limit the sharing” of this information. The language indicates the government is expecting providers to share proprietary intelligence that many providers currently sell at a premium.
"The SolarWinds breach highlighted a need to increase software supply chain audits. Progressive language in section 4 of the executive order requires software providers to perform source code analysis at release cycles and to provide proof of secure code before delivering new versions to the federal government. Penalties for not meeting these requirements will mean vendors will lose contracts and agencies will have to find new solutions to meet their needs. For years source code integrity has gone largely unaudited which is going to leave many software providers scrambling to update secure development operations (SECDEVOPS) procedures, acquire tools for testing code, retrain developers to use secure coding approaches and re-write thousands of lines of code to become compliant. It is a potentially devastating blow to providers that have neglected these hygiene steps."
ImmuniWeb's Ilia Kolochenko thinks the Administration will find it difficult to meet the ambitious deadlines the Executive Order sets:
“This is a laudable initiative that is, however, arduous to implement in such a short period of time. Many entities of the federal government still fall short of FISMA, enacted in 2014 and aimed to bolster cyber resilience of the US government. The current situation with the recently enacted Cybersecurity Maturity Model Certification (CMMC) - requisite to do business with the US DoD - is similarly complicated. Finally, the Cybersecurity Safety Review Board may face traditional challenges of interagency collaboration.
"From a practical viewpoint, merely adding a zero-trust model will unlikely solve the fundamental problems, such as lack of visibility or incomplete IT assets inventory, inconsistent security strategy or insufficient training and awareness for employees. Nonetheless, this Executive Order convincingly demonstrates that Joe Biden’s administration cares about cybersecurity and takes it seriously. Hopefully, the upcoming regulations will be also underpinned by additional budget allocations and other resources required to build a resilient information security program at the federal level.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan, is heartened by the Executive Order's emphasis on infrastructure protection:
"I applaud the Biden Administration’s Executive Order to strengthen cybersecurity. Although the logical access requirements in HSPD-12 have been around for years, the reality is not every employee and contractor has a PIV card and agencies have relied upon vulnerable usernames and password authentication for convenience and during the pandemic when biometric PIV enrollment was not possible, as noted in 2020’s Office of Management and Budget (OMB) memo 20-19. The E.O. may drive agencies to adopt some of the provisions in 2019’s OMB memo 19-17, which updated the Federal Identity Credential and Access Management (ICAM) policy. It lists a variety of action items for the General Services Administration, including “Innovate capabilities and update Federal Public Key Infrastructure (PKI) to provide the government with a trust framework and infrastructure to administer digital certificates and other authentication solutions, such as those based on public-key cryptography.” Simply put, agencies should no longer be limited to issuing PIV cards for logical access and with GSA’s help, they will be able to issue and accept modern authenticators, which could include those built on the FIDO Alliance standards based on public-key cryptography.
"Although this Executive Order was in the making following the SolarWinds attack, its release comes days after the ransomware attack on the Colonial Pipeline. This week thousands, if not millions, of Americans, are feeling the pain of gas shortages reminiscent of the 1970s due to the pipeline being shut down. A temporary inconvenience for most, but a stark warning to all, reminding us how vulnerable our critical infrastructure sectors are to cyberattacks.
"With the private sector owning and operating an estimated 85% of all critical infrastructure, it is imperative that all public and private sector organizations should step up cybersecurity measures. On May 11, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a Joint Cybersecurity Advisory to owners and operators of critical infrastructure. One of the easiest cybersecurity measures to deploy, is to require multi-factor authentication (MFA) a key provision of the E.O. and as recommended as a mitigation action in the Joint Cybersecurity Advisory, for remote access to operational technology (OT) and IT networks. The E.O. goes a step further by mandating multi-factor authentication (MFA) across agencies and not to rely on passwords. Refreshingly, that comes with no exceptions. The cybersecurity industry has been yearning for the death of the password for years. Passwords may not die in 2021, but the Biden Administration has added a nail to the coffin."
Andrew Rubin, CEO and co-founder of Illumio, thoroughly approves the Executive Order's emphasis on zero trust and segmentation:
"This is the first time in history that The President of the United States of America has acknowledged that we cannot stop all security incidents. Signing this executive order - mandating Zero-Trust and segmentation - has become a public demonstration that detection does not work 100% of the time (see: Colonial Pipeline, SolarWinds, MSFT Exchange).
"Our complete reliance on detection to find and stop bad things is no longer an option. With bad actors and nation-states operating at all time high levels of sophistication, a failure to recognize this will result in a small incident turning into a catastrophic attack -- with the potential to impact human lives. We need segmentation and we need Zero-Trust -- and our government has now publicly declared this vital."
Chad McDonald, CISO at Digital.ai Software, shares what he sees as the Order's view that security is a process:
“The new executive order underscores that security is not a ‘point in time’ strategy – it must be continuously and strenuously assessed to stay ahead of increasingly sophisticated bad actors. This is a good start, but policy alone will not solve these issues. Enterprises worldwide need to consider security a priority from software planning and development through delivery. Attacks like the one on the Colonial Pipeline are not new and certainly not going away. The reality is that they are likely to become more frequent, complex and catastrophic. Enterprises and governments need to consider readying a proactive response to these events otherwise they may find themselves dealing with attacks that harm human life, cost millions or billions of dollars, and irreparably damage trust and brands.”
Demi Ben-Ari, CTO and Founder, Panorays, liked the emphasis on supply chain security:
"It’s heartening to see that the United States is taking steps to bolster supply chain software security for the federal government. Many organizations don’t realize that simply installing third-party software has the effect of expanding one’s attack surface, thereby increasing the risk of cyberattacks. The US government unfortunately learned this the hard way with SolarWinds, when hackers inserted malware into network management product updates.
"The reality is that every industry should be taking steps to implement effective third-party security management. But there's no question that this executive order to create essential cybersecurity standards for the federal government is definitely a step in the right direction."
The opportunity for public-private partnership pleased Padraic O’Reilly, Co-Founder & Chief Product Officer, CyberSaint Security, and especially with respect to information sharing:
"Information sharing within the cybersecurity community has long been decried as something there needs to be more of. That said, it must be approached with the proper guardrails in place to ensure the protection of those sharing the information. As industries that have struggled with standardizing and information sharing begin this journey, look to sectors that have successfully done it for decades. Specifically, the financial services sector. By extending the guidelines seen in financial services, the disincentives for information sharing are reduced.
"As the government looks to increase the communication between public and private sectors, they must work to ensure that it is a two way street. The EO does acknowledge this need, however, historically private sector CISOs have felt that the information sharing ends up as a one-sided relationship.
"The balance between the data and human problems in cyber is something we look at early and often. As a step to enhancing the posture of organizations both public and private, the government needs to be contributing data sets such that risk management can be enhanced and performed with greater precision and knowledge. By pooling risk data across sectors, security leaders can get a more complete picture which is what is severely lacking across both organizations and industries.
"This executive order is a strong step toward enhancing public-private partnerships within critical infrastructure cybersecurity. By widening the FAR to require cyber hygiene standards across all agencies, we can begin to set some baselines. Furthermore, by learning from and integrating on the DFARS and CMMC rollout within the DIB, we may begin to see the expansion of CMMC to other sectors. The critical step, though, is getting teeth behind the regulation while also making stronger cyber practices accessible.
Robert Cattanach, partner at the international law firm Dorsey & Whitney, where he has a practice in regulatory litigation, sees regulation moving in to correct a market failure:
"One thing everyone can agree on: Private market incentives to prevent damaging cybersecurity failures have proven completely inadequate. The question is whether the purchasing power of the federal government can change that. The reach of any Executive Order is by definition limited to the Executive Branch of Government. A significant swath of the market to be sure, but whether the added disincentive of losing government contracts will move the cyber-protection needle remains to be seen. It is not as though the federal government and its contractors currently lack sufficient incentives to prevent massive security hacks.
"What the Executive Order may be able to do, however, is lower the barriers to communication that could improve the ability of both public and private sector to detect and share threat information, which are substantial for many reasons: reluctance to admit security failures, fear of enforcement, contractual limitations, and simple inertia. By mandating prompt disclosure of cyber events by federal contractors, establishing a lessons learned process, and more rigorously vetting the reliability of newly defined “critical software” through the lens of a “Zero Trust Architecture”, the process-heavy Order will focus both attention and resources on a hugely vulnerable component of the day-to-day functioning of both the public and private sectors is undeniably. To be clear: vulnerabilities can never be completely eliminated: responding promptly and sharing critical insights however, can substantially limit the damages of any cyber attack."
Tim Erlin, VP, product management and strategy at Tripwire, correctly sees the Order as a roadmap:
“This executive order should be read as a roadmap for dramatically improving cybersecurity across the government and, insofar as possible, within the private sector. The executive order outlines a series of actions at various intervals that range from establishing a cybersecurity review board to standardizing contractual language around information sharing. Most of the immediate action stemming from this executive order comes from further development of standards and recommendations. We’ll see these roll out at the intervals specified in the order itself.
"In many ways, the Federal Government’s most powerful tool for influencing the private sector is its own purchasing power. By including cybersecurity requirements in purchasing contracts, the Government can influence a wide swath of the private sector.
"Standardizing contractual language may not seem like the most exciting or impactful action to take, but with an organization the size of the Federal Government, it’s exactly the kind of action that can cause broad, sweeping change.
"In many ways, the executive order lays out a back-to-basics approach. While technology advances, core principles like identifying and remediating vulnerabilities, collecting logs, and building an incident response plan are all still required. With a nationally sized problem at hand, consistent implementation of basic controls can go a long way towards improving the situations.
"It’s unfortunate that this order doesn’t specifically call out the pervasive problem of misconfiguration. While the need to configure systems securely is implied with a Zero Trust architecture, a more specific recommendation around establishing secure configurations would fit well with the language around vulnerabilities and logging.”
Mark Carrigan, Senior VP of Global Sales Excellence at Hexagon, emphasized that the Executive Order isn't a holistic solution to the threat of cyberattack:
"President Biden’s Executive Order, Improving the Nation's Cybersecurity, is an important step to further protect our nation's critical infrastructure, but should not be seen as a holistic solution to the threat posed by malicious attackers.
"The Executive Order includes many laudable practices to improve our cyber security defense strategy, but is conspicuously absent of any mention of the federal government’s role in providing deterrence to malicious actors. An offensive cybersecurity strategy cannot be borne by industry. Companies are not in the business of taking countermeasures to disincentivize or punish attackers. It is the responsibility of the government to establish laws and strictly prosecute critical infrastructure cyber-attackers. We must send a strong message to the rogue elements and the governments who enable or ignore their activities that we consider cyberattacks on our critical infrastructure as a threat to national security. Without proportional consequences, bad actors, regardless of their motivation, will continue their malicious attacks. Their current financial gain is far greater than any fear of retribution.
"As noted in the order 'The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)). Notably, virtually every OT system used to control industrial critical infrastructure, including pipelines, refineries, power plants and chemical plants, does not meet the requirements stipulated in this Executive Order. The order requires software “establishing multi-factor, risk based authentication” and “encryption for data.' OT systems do not contain these capabilities, and would require a fundamental redesign to do so. Once developed, the cost to upgrade all the existing OT systems will run into many billions of dollars.
"At this point the Executive Order is limited to the United States Federal Government and their suppliers, but it appears that the President’s intent is to see these policies become applicable to industry as a whole. While improving the security of our critical infrastructure is a matter of national security, we must acknowledge the impacts that will follow if these practices are widely adopted, including:
- "Small business – the costs to comply with the provisions outlined in supply chain security will be substantial. Small businesses may not have the resources to do so, and will yield to larger enterprises with the ability to invest accordingly. Many will not survive.
- "Innovation – software companies large and small will need to invest resources to comply with this order, likely pausing further innovations within their systems.
- "Costs – these security requirements will raise prices across the board. The full extent of this impact is hard to calculate, but we must all recognize that investments required to secure our critical infrastructure will come with a hefty price."
Mark Guntrip, Senior Director, Cybersecurity Strategy, Menlo Security, likes the emphasis on industry standards:
"This latest cybersecurity executive order finally sets the industry standard for security best practices that should have been implemented and upheld decades ago. The industry as a whole has been unprepared and failed to provide adequate solutions to the latest security threats time and time again. Federal agencies must have full confidence in the entire supply chain, from top to bottom, and the only way to instill that confidence is through a true Zero Trust approach that leaves nothing to chance, prevents breaches and isolates threats from the network by design.
"An example of this approach is Cloud Based Internet Isolation (CBII) rolled out by DISA last fall. It separates the threat from direct connections to DOD networks, isolating potential malicious code and content within the cloud platform. CBII also helps manage content downloads helping to reduce network congestion by rendering the document remotely. DISA has indicated it intends to scale the program from the initial 100,000 users to 3.5 million as the DOD embraced remote work during the COVID-19 pandemic.
"SolarWinds, Microsoft Exchange vulnerabilities and Colonial Pipeline are just a few of the most recent and unfortunate examples of how security can go wrong at a grand scale. However, they certainly aren’t the first and won’t be the last that are showcased as examples of the “worst cyber attacks in history,” unless the community at large makes a drastic change in how our systems are secured and how the architecture is built.
"Despite increased investment, current cyber defenses continue to prove to be inadequate and a new approach is urgently needed. New attack vectors are emerging as every industry deals with their own digital transformation, hybrid and mobile workforces and an accelerated move to SaaS.
We'll give the last word to a Government official, acting CISA Director Brandon Wales, who issued a statement on an Order that most directly affected his agency:
“President Biden’s executive order is an important step forward in bolstering our nation’s cybersecurity. As last week’s ransomware attack against the Colonial Pipeline and recent intrusions impacting federal agencies demonstrate, our nation faces constant cyber threats from nation states and criminal groups alike.
“As the nation’s lead agency for protecting the federal civilian government and critical infrastructure against cybersecurity threats, CISA serves a central role in implementing this executive order. This executive order will bolster our efforts to secure the federal government’s networks, including by enabling greater visibility into cybersecurity threats, advancing incident response capabilities, and driving improvements in security practices for key information technology used by federal agencies. And because the federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments.
“The cybersecurity landscape is constantly changing, and this executive order reflects the need for a sustained commitment and urgent progress. We are now moving forward with this same commitment and urgency to implement the President’s executive order to defend against the threats of today and secure against the risks of tomorrow.”
US Congress considers a range of cybersecurity measures.
Congress has also been active with respect to cybersecurity. Here are some of the more interesting bills under consideration:
- IN THE SENATE OF THE UNITED STATES—117th Cong., 1st Sess.S. 1316 (US Senate) To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to make a declaration of a significant incident, and for other purposes.
- A BILL To establish a Federal rotational cyber workforce program for the Federal cyber workforce. (US Senate) ...This Act may be cited as the ‘‘Federal Rotational Cyber Workforce Program Act of 2021."
- A BILL To require the Secretary of Homeland Security to establish a national risk management cycle, and for other purposes. (US Senate) This Act may be cited as the ‘‘National Risk Management Act of 2021’’.
- A BILL To prohibit certain individuals from downloading or using TikTok on any device issued by the United States or a government corporation. (US Senate) This Act may be cited as the ‘‘No TikTok on Government Devices Act’’.
- A BILL To ban the Federal procurement of certain drones and other unmanned aircraft systems, and for other purposes. (US Senate) This Act may be cited as the ‘‘American Security 5 Drone Act of 2021’’.
Cyberspace is a domain of both conflict and intelligence competition.
Some characterize cyberspace as a field for “intelligence contest,” Lawfare observes, and others, as “largely a domain of warfare or conflict,” but in reality, it’s both (just like the other four operational domains of ground, sea, air, and space, one might reflect). Removing the “binary” intelligence/conflict blinders allows insight into “mutual opportunities” beyond intelligence gain-loss deliberations. Offensive campaigns can facilitate intelligence objectives, and vice versa, simultaneously or sequentially, intentionally or accidentally. The Holiday Bear and Hafnium campaigns, for example, ostensibly enabled both ends—as does Defend Forward.
US cyber policy discussions, Lawfare argues, need to evolve to reflect this overlap. The relevant bodies should reorganize around the dual possibilities of US and adversarial operations. Specifically, Washington should invest in intelligence capabilities for determining adversarial intent and incidental offensive impact, and clarify the norms surrounding responsible cyber espionage. Confidence building measures, no-first-use policies, and public declarations of standards and commitments are possible steps forward.
UK Foreign Secretary Dominic Raab calls for international cyber cooperation (and calls out Russia).
"Now there is a common misconception that cyber power is all about people like Q in a bunker somewhere, coming up with the gizmos of the future," the foreign secretary said yesterday in an address. "The reality is that it is much much broader than that."
Apart from throwing gratuitous shade at Q (who's always been a favorite of ours), his point was a familiar one, that cybersecurity, with its pervasive presence and effect in contemporary society, requires at some level not just a whole-of-nation approach, but cooperation among like-minded allies. "Today, as you would expect, we are working closely with traditional partners like the 5 Eyes and in NATO. But here we are also seeking to bridge old geopolitical dividing lines, between the West and the G77, the Global North and the Global South." The commitment to non-traditional partners will be financial as well as operational and diplomatic. "So today I am very pleased to announce that the UK government will invest £22 million in new funding to support cyber capacity building in those vulnerable countries particularly in Africa and the Indo-Pacific."
Mr. Raab also noted that the UK has developed a cyber offensive capability, and he didn't hesitate to call out Russia for its toleration of, and willingness to harbor, cybercriminals. "And let’s be clear, when states like Russia have criminals or gangs operating from their territory they cannot hold up their hands and say not them but they have a responsibility to prosecute them, not shelter them." Russia's embassy in London dismissed his remarks as a mixture of hypocrisy and disinformation.