Word Notes 9.14.21
Ep 67 | 9.14.21

Executive Order on Improving the Nation's Cybersecurity (noun)


Rick Howard: The word is: President Biden's Executive Order on Improving the Nation's Cybersecurity. 

Rick Howard: Spelled in three parts: executive order as in a United States President's formal directive that has much of the same power as the federal law; improving as in enhancing; and finally the Nation's Cybersecurity as in the federal government's security posture. 

Rick Howard: Definition: President Biden's May, 2021 formal compliance mandate for federal civilian executive branch agencies, or FCEBs, to include specific shortterm and longterm deadlines designed to enhance the federal government's digital defense posture. 

Rick Howard: Example sentence: By law, President Biden's Executive Order on Improving the Nation's Cybersecurity applies only to the federal government and its systems. By extension though, it applies to the thousands of government contractors and subcontractors that provide IT services to the US Government. 

Rick Howard: Origin and context: On May 12th, 2021, the United States President Joe Biden signed Executive Order 14028, mandating that all federal information systems meet or exceed specific standards and requirements for cybersecurity to include, and this is a long list so bear with me, improvements to the Federal Acquisition Regulation, or FAR; streamlining the FedRAMP process; mandating that software and vendors provide a Software Bill of Materials or SBOM for products sold to the government and submitting to some kind of software review; streamlining cybersecurity information sharing internally among Federal Civilian Executive Branch Agencies and with cloud service providers; budgeting plans for implementing a Zero Trust Architecture, accelerating deployment to secure cloud services, building a data analytics capability across the federal government and hiring the necessary people to manage everything; publishing strategy and guidance on cloud security; developing procedures, or playbooks, for interagency incident response; developing government communal services that branch agencies can use during a crisis; deploying multifactor authentication; deploying encryption at rest and in motion; and deploying endpoint detection and response or EDR; defining what critical software is and additional security requirements for software that meets those requirements; establishing consumer IOT device labeling requirements; establishing a Cyber Safety Review Board of government and commercial practitioners to review and assess significant Branch Agencies’ cyber incidents; and finally, a mandate for all branch agencies to participate in some kind of continuous diagnostic and mitigation program. Whew. That's all.  

Rick Howard: The executive order is arguably the most comprehensive federal cybersecurity enhancement program in the history of the United States. And these are not just suggestions. Each plank in the plan comes with short term and longterm deadlines that are due mostly in 2021 and 2022. That's the good news. The bad news is that presidents have tried this in the past without much success. On February 12th, 2013, just before the State of the Union address, former President Barack Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity. It focused on three key areas: information sharing, privacy, and the adoption of cybersecurity practices. But years later, according to Taylor Armerding from CSO online, "Experts agree that while President Obama put time, effort and political capital into improving cybersecurity, their results are not encouraging. Ultimately it didn't accomplish the goal of making either government or the private sector more secure." As an example on President Obama's watch, one or more Chinese nation state hacker groups breach the Office of Personnel Management, or OPM, and exfiltrated the personal data of nearly 22 million federal employees, arguably one of the most successful cyber espionage operations known by the public conducted in the last decade.  

Rick Howard: That said, President Biden's Executive Order is even a bigger swing than President Obama's and the things he's asking for are all capabilities that the federal government needs. We will be watching closely and wish him all success in this endeavor. 

Rick Howard: Nerd reference: On 16 May, 2021, President Biden spoke to the press about the Colonial Pipeline ransomware attack and the need to make infrastructure more resilient. At this press conference, he announced his Executive Order on Improving the Nation's Cybersecurity and described the goals behind it. 

President Biden: And last night, I signed an executive order to improve the nation's cybersecurity. It calls for federal agencies to work more closely with the private sector, to share information, strengthen cybersecurity practices and deploy technologies that increase reliance against cyber attacks and outlines innovative ways the government will drive to deliver security and software, using federal buying power to jumpstart the market and improve the products that all Americans use. 

Rick Howard: Word Notes is written by Nyla Gennaoui. Executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.