[BreachExchange] A Renewed Push to Improve the Nation's Cybersecurity

[Audrey McNeil]

https://www.securityweek.com/renewed-push-improve-nations-cybersecurity

Biden's Executive Order to improve the nation’s cybersecurity is a good
first step, but it is unlikely to materially change the defensive posture
of the nation

In response to recent cybersecurity incidents such as SolarWinds, Microsoft
Exchange, and the Colonial Pipeline ransomware attack, President Biden on
May 12, 2021 signed an Executive Order (EO) to improve the nation’s
cybersecurity and protect federal government networks. For close observers,
this seems to be like Groundhog Day, as past incoming administrations have
issued similar executive orders to address insufficient cybersecurity
defenses that leave public and private sector entities vulnerable to
attacks. The National Institute of Standards and Technology (NIST)
Cybersecurity Framework and the Department of Homeland Security’s
Continuous Diagnostic and Mitigation (CDM) Program are good examples of
past attempts to strengthen the federal government’s security posture and
improve cyber resilience. The big question is whether the proposed actions
in this new EO are attainable.

For months, news headlines have been dominated by a series of cyber-attacks
that highlighted how vulnerable enterprises and government agencies are to
nation-sponsored threat actors and cybercriminals. Once these attacks
started impacting our economic security by leading to gas shortages and
nation-wide price increases, the Biden administration reacted swiftly,
acknowledging that the federal government must improve its efforts to
identify, deter, protect against, and respond to cyber-attacks and threat
actors.

In this context, the EO highlights numerous areas of weakness in the
nation’s cybersecurity defense strategy and proposes many commendable
practices to mitigate them, such as:

• Remove Barriers to Threat Information Sharing Between the Government and
the Private Sector: To enable more effective defenses of federal agencies
and improve the nation’s resilience, IT service providers will be required
to share certain data breach information that could impact government
networks.

• Modernize and Implement Stronger Cybersecurity Standards in the Federal
Government: To keep pace with today’s dynamic and increasingly
sophisticated cyber threat environment, the federal government must take
decisive steps to modernize its approach to cybersecurity, including
accelerating movement to secure cloud services, establishing a Zero Trust
architecture, and deploying foundational security tools such as
multi-factor authentication and data encryption.

• Improve Software Supply Chain Security: Besides establishing baseline
security standards for the development of software sold to the federal
government, the EO calls for the creation of a pilot program to create an
“energy star” type of certification so the government – and the public at
large – can quickly determine whether software was developed securely.

• Establish a Cybersecurity Safety Review Board: To analyze what happened
in a cyber-attack and derive concrete recommendations for improving
cybersecurity, the EO calls for the creation of a Cybersecurity Safety
Review Board, which is co-chaired by government and private sector leads.
This board is modeled after the National Transportation Safety Board, which
is used to investigate airplane crashes and other incidents.

• Create a Standard Playbook for Responding to Cyber Incidents: To assure
preparedness in taking uniform steps to identify and mitigate cyber
threats, the EO calls for the creation of a standardized playbook and set
of definitions for cyber incident response by federal departments and
agencies. The playbook will also provide the private sector with a template
for its response efforts.

• Improve Detection of Cybersecurity Incidents on Federal Networks:
Acknowledging the slow and inconsistent deployment of foundational
cybersecurity tools and practices across government agencies, the EO calls
for the deployment of a centralized endpoint detection and response
initiative, active cyber-hunting, containment and remediation, as well as
incident response.

• Improve Investigative and Remediation Capabilities: The EO creates
cybersecurity event log requirements for federal departments and agencies.

Where the Rubber Meets the Road

As with prior Executive Orders and cybersecurity frameworks, it is
important to note that none of the standards and requirements outlined are
applicable to commercial entities - instead, they’re focused solely on
strengthening the federal government system. However, much of our nation’s
critical infrastructure is owned and operated by the private sector, and
those organizations make their own decisions regarding cybersecurity
investments.

Another reason why some experts are skeptical about the success of
President Biden’s EO, is that the bureaucratic environment within federal
agencies often leads to inertia when it comes to applying cybersecurity
best practices in their day-to-day operations. Exposure to cyber risks is
just one of many challenges that federal agencies must deal with. Lack of
funding, and to a greater extent lack of cyber talent is contributing to
slow adoption rates. Furthermore, many agencies are struggling to determine
what security framework or best practices would offer the highest return on
investment, as they’re simply overwhelmed when it comes to the regulations
and programs they must comply with.

Best Advice: Think Like a Hacker

Implementing an effective security strategy requires an understanding of
hackers’ tactics, techniques, and procedures – often called TTPs. Thinking
like a cyber-attacker allows security practitioners to focus on
implementing security controls with the greatest rate of return for
preventing breaches. In this context, it is encouraging that President
Biden’s EO calls out three often exploited threat vectors that government
agencies need to address if they want to effectively defend against today’s
threats:

• Compromised Identities: Government agencies should focus on hardening
access controls by verifying who is requesting access, the context of the
request, and the risk associated with the asset. The “never trust, always
verify, enforce least privilege” model, or Zero Trust, provides the
greatest security return on investment regardless of the industry.

• Endpoint Security: Endpoints serve as the main points of access to an
enterprise network and can be exploited by malicious actors. In fact, a
recent Ponemon Institute survey revealed that 68 percent of organizations
suffered a successful endpoint attack within the last 12 months. Thus, it
is vital to maintain granular visibility and control over these access
points to establish cyber resilience.

• Software Resilience: The development of commercial software often lacks
transparency, sufficient focus on the ability of the software to resist
attack, and adequate controls to prevent tampering by malicious actors. In
turn, there is a pressing need to implement more rigorous and predictable
mechanisms for ensuring that products function securely, and as intended.

Overall, this EO is a good first step but it is likely not going to
materially change the defensive posture of the nation. If America’s
national security interests are to truly be protected, government agencies
and enterprises need to model their defense strategies by thinking like a
hacker and tackling the TTPs that are commonly used in today’s attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/0b376299/attachment.html>