At a glance.
- Retaliation in cyberspace.
- The US Executive Order's timeline.
- Industry reaction to the US Executive Order.
Retaliation in the context of cyber conflict.
The Atlantic Council considers, with the help of five experts, the broad strokes of imposing costs in the cyber domain. Non-cyber responses to cyber events are called for, the interviewees variously argued, when such responses advance national interests, promote deterrence, satisfy norms, send a desirable message, leave the nation in a stronger or more secure position, or appropriately account for the results and perpetrators of the initial attack, without encouraging escalation.
Cyber retaliation can likewise be a legitimate and useful response to non-cyber incidents, the panel concurred. Cyber responses are often lower-risk and covert. The cyber toolbox is a valuable component of the larger military-intelligence toolkit, and represents one of five frequently overlapping domains for promoting strategic goals.
The interviewees largely agreed that retaliation can function as an effective deterrent in cyberspace, if it meshes with a larger defensive strategy in a way that shifts the enemy’s cost-benefit analysis. There’s disagreement about what deterrence means in cyber, however, and most attempts at it only briefly interrupt enemy operations—likely because the cost-benefit calculus is heavily weighted towards the “benefit” side, especially in asymmetric relations.
President Biden’s executive order (EO) on Russia made a statement, the panelists said, without effecting deterrence. Russia’s cost-benefit analyses likely remain unchanged, in part because the sanctions carried little weight, perhaps appropriately, since it’s not clear Moscow violated international norms to begin with. The capacity building prong of the EO may turn out to have the most impact.
It’s not obvious that retaliation has ever “worked” in cyberspace, the group said. It can be difficult to determine causation when the waters are quiet, and tricky to distinguish attacks from responses when they’re not. Cyber contests are ongoing, and the domain might be best understood as an “initiative-persistent environment of setting and sustaining security through the mitigation or exploitation of vulnerabilities,” in the words of Center for Cyber Strategy and Policy Chair Richard Harknett.
Countdown to security?
Federal News Network says the starter pistol has gone off, and Federal agencies have sixty days to plan for zero trust and six months to encrypt data, among other deadlines. Some onlookers are hopeful that the Biden Administration’s cybersecurity executive order, the ninth of its kind over the past decade, will accomplish what its forerunners could not. “The EO goes right to the heart of the problem—the mix of poor cyber hygiene and buggy code,” said Center for Strategic and International Studies VP Jim Lewis.
Another Federal News Network article characterizes the EO as overly complex and burdensome. With roughly eight-thousand words, forty deadlines, seventy action items, and untold reporting regimes, the order spans everything from MFA to cloud security and IoT devices, handing out assignments to the Pentagon, White House, FBI, NSA, and many others. Noting that none of the provisions are “frivolous,” the author worries the directive requires too much too soon, and could distract from day-to-day cybersecurity efforts.
More industry reaction to the Executive Order on Improving the Nation's Cybersecurity.
We've continued to receive comment from industry on the Executive Order. Jeff Barker, VP of product marketing at Illusive, wrote that the Executive Order's main themes are the improvement of "prevention, detection, assessment, remediation, and information sharing." He went on to say:
"The order acknowledged that 'incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defect the vital institutions that underpin the American way of life.' It is encouraging to see top-down federal government focus on 'moderniz[ing] its approach to cybersecurity' to improve security posture, but we will need to see details and implementation timeline(s) to judge the effectiveness of the actions driven by each section of the order. At a high level, many of the identified actions have been implemented by organizations with today’s “state of the art” security tools and processes (i.e., FireEye, Microsoft), yet they have been victims of recent high-profile attacks.
"I am hopeful that when each federal organization defines the detailed requirements for areas like threat detection, they go beyond the basic detection mechanisms already deployed at recently compromised organizations. It is difficult to follow how taking 1, 2, or more years bringing the federal government’s security posture up to the level of organizations that have been recently breached will create a secure organization.
"It seems that there should be a foundational goal of leapfrogging existing prevention, detection, and response technologies and processes. Instead of simply mandating the deployment of technologies that have proven ineffective at stopping today’s nation-state and ransomware attacks, I am hopeful we will see initiatives to define solutions and processes that directly target the current sophisticated attacker TTPs."
Arctic Wolf's Technical Director, Christopher Fielder, agrees that the Executive Order seeks to address a sweeping range of basic problems:
"Yesterday’s Executive Order on Cybersecurity is a bold step forward in addressing critical areas of concern for protecting public sector networks – including supply chain security, establishing Zero Trust and endpoint detection and response (EDR) requirements, and mandating multi-factor authentication and encryption. This fundamental shift in the government’s approach from Incident Response to breach prevention and hardening defenses, including security-by-design, is needed to withstand the modern-day landscape where adversaries are leveraging sophisticated exploits and supply chain vulnerabilities to cause never-seen-before incidents with massive kinetic impact.
"It’s particularly encouraging to see the Federal government holding software providers to a higher standard, which will benefit every sector of the economy, scaling our nation’s defense with decisive government action."
Marjorie Dickman, Chief Government Affairs and Public Policy Officer at BlackBerry, believes the promotion of software bills of materials is particularly important:
“President’s Biden’s Executive Order was much anticipated, even before the Colonial Pipeline attack, and it didn’t disappoint in terms of being a significant step in securing America from future cyber exploits. The software bill of materials (SBOM) provision is critically important, and long overdue, in securing our nation’s software supply chain – allowing purchasers, including the federal government, to manage risk and uncover vulnerabilities that malicious hackers are targeting. The next hurdle will be how quickly the Administration and Congress can work together to implement these EO provisions and piece together additional key parts needed to secure America from cyber threats, including right sizing federal funding for cybersecurity investment in America’s woefully outdated digital infrastructure.”
A-LIGN's director of research and development, Joseph Cortese, cautions that the Order does look a bit like a tough-to-achieve wish list:
"Although the intent of this executive order is admirable, it’s quite a laundry list. Implementing everything listed will take a very long time – especially at the pace the federal government moves. But here’s what really compounds the issue: yes, every step in this executive order will serve to harden the systems in question, and each of these additional frameworks will move us in a more secure direction. But it is impossible to tell if the problems we’ve been experiencing are the result of fundamentally broken systems or a failure to adopt technologies and frameworks that would have otherwise provided adequate security. Viewed through that lens, if we pile on more technology requirements that do not get adopted down the supply chain, we are no better off.
But wish list or not, Cortese still finds a lot to like about the Order:
"That said, there is a lot of strength in what the EO promotes. The aspect of this executive order that will have the most significant impact is the implementation of zero-trust architecture. When you look across all the controls that we use to secure technology, embodied in an ever-growing list of NIST Special Publications, it’s getting overwhelming. Zero-Trust can restructure our approach and deliver a fundamentally more secure architecture across the board.
"The executive order also has its failings. One area that needs further consideration is the private sector and how they share threat information. Setting this standard will take a great deal of time and result in new bottlenecks within the private companies that conduct the threat intelligence, now subject to new requirements for feeding this information to government systems. As someone who has worked in global threat intelligence, and for various agencies, the amount of information and volume of data may not be fully understood and could severely complicate the ability to execute much of this EO.
"The majority of cybersecurity hacks occur due to blatant disregard for security, such as lack of two-factor authentication, egregiously simple passwords, easy-to-access software repositories, and lack of brute-force protection. What’s so upsetting to me as a cybersecurity specialist is how many of these threats can be mitigated within the private sector by increasing security awareness within organizations and by bringing attention to existing policies and procedures. It may be that greater cybersecurity awareness is the most powerful weapon we could have when it comes to the private sector."
Mike Fleck, Senior Director, Sales Engineering, at Cyren, hopes the Executive Order will lead to cultural changes:
"Yes, it will make a difference. Good security requires a culture of security, and culture is set at the top. This EO signals to government agencies and the tech industry that serves them that they need to prioritize security (if they aren’t already doing so). Some of the requirements have been in place for years. Most government agencies have required encryption for classified information and other sensitive data like Personally Identifiable Information (PII). There are already breach notification requirements like the ones in the HIPAA/HITECH regulation that require affected organizations to share information with their federal government regulators. The focus on the software supply chain is smart. We know that supply chains are and have been a common attack target.
"Specifically, security standards for the software supply chain will have the largest impact. The government has been aspiring to use more Commercial Off-the-Shelf (COTS) software rather than custom-built solutions. However, it will be difficult to realize the full potential of this EO without some kind of enforcement. This EO could be similar to the process the government recently used to enforce proper security of sensitive government data stored on non-government systems. First, they published security standards (NIST 800-171) and required the defense industrial base to adhere to them. A few years later they implemented the Cybersecurity Maturity Model Certification to enforce compliance.
"Yes, the Software Supply Chain Security aspect should have deep reach into the private sector. The federal government has the largest IT budget in the United States so anyone selling software to government agencies should have to comply with the relevant aspects of this EO. Again, it will come down to enforcement so “should” becomes a “must.” Security requirements without enforcement are just security recommendations."
Atif Mushtaq, founder of SlashNext, situates the Executive Order in the context of recent attacks:
"As demonstrated with the Colonial Pipeline attack, ransomware is the number one cyber security threat and it’s also the number one security threat to humans. It impacts schools, medical centers, and communities. Phishing is the number one cause of ransomware, but to many people, even security professionals, conventional thinking is that phishing is an email issue. That approach doesn’t take into account attacks that come from beyond email from all digital communication channels.
"Human hacking happens in SMS, web, social, gaming, collaboration apps, search, as well as email. Ultimately, stopping phishing, social engineering, account takeover, BEC, SMishing, supply chain attacks, and data exfiltration would stop 95% of ransomware attacks."
Garret Grajek, CEO of YouAttest, welcomes the Executive Order, with the proviso that we understand the US doesn't exercise tight, national, autarkic control over the online traffic that transits its territory. Beijing aspires to that level of control, but Washington does not:
“The executive orders were a collection of efforts and thoughts around cyber security. Many included better coordination and communication between agencies and between government and the private sector. This is a welcomed improvement. Immediately sharing of intel on attacks has to be implemented if the U.S. is going to get on top of Colonial-type of ransomware attacks and other major threats.
“Of course in a free world and free internet, the US government does not own or control the traffic that goes across as a nation, the way China does. To counter this lack of centralized control, communication sharing is paramount and the executive order includes a provision to create a new National Cybersecurity Safety Review Board. The National Cybersecurity Safety Review Board, modeled after the National Transportation Safety Board is an intelligent move toward this goal.
"Another important recommendation is the creation of a Standard Playbook to respond to ransomware and other attacks. It will lay out the federal departments and agencies and how they should respond.
“There is also a section on creating an "Energy Star" type label to be implemented on enterprise-deployed software to ensure that the software supply chain is not so easily attacked as it was in the SolarWinds attack. The idea is that baseline standards will be stipulated and greater visibility into the security of the software will be required before governmental entities can purchase software packages.
“What is important to note too is that none of the actions are forcing changes in private entities – they instead are focused on strengthening the practices and responses of our federal government systems, while providing a response plan to major attacks like the Colonial Pipeline hack. Nor is there an implementation or call for a government owned or supervised ICS network for America's critical infrastructure.”