Impact of the Cybersecurity Executive Order on the private sector
By Matt Malarkey | Date published: 29 October 2021
In the wake of major high-profile cyber-attacks, including incidents involving SolarWinds and the Colonial Pipeline, the Executive Order issued by the US President in May 2021 seeks to enhance US national cybersecurity and improve the protection of federal networks.
The executive order (EO) recognizes the importance of the private sector’s cooperation to protect against the rising number of threats. It also acknowledges the challenge that poor cybersecurity within the federal supply chain presents to the US government, and so urges organizations to take immediate action to improve their security.
What does the Cybersecurity Executive Order include?
The Cybersecurity Executive Order seeks to make a significant contribution towards modernizing federal cybersecurity defenses, facilitating information-sharing between the public and private sector, and strengthening the US government’s ability to respond to cyber incidents when they occur. It also focuses attention and effort towards improving software supply chain security by establishing baseline security standards for the software purchased by the government.
A Cybersecurity Safety Review Board has also been established and is chaired by leaders within both the government and private sector organizations. It is the Board’s responsibility to convene in response to an incident to analyze the event and make recommendations for avoiding recurrences.
While the EO is largely designed to protect the networks of federal agencies, the private sector is being urged to align their standards too. In a memo shared by the White House in June, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, stated that private sector organizations have a critical responsibility to protect the United States against the threat of ransomware. The memo encouraged businesses leaders to take urgent action to review their security posture and outlined several best practices for immediate implementation.
These practices include keeping offline backups of data and configurations and regularly testing them, updating and patching systems promptly, segmenting networks. and using a third-party penetration tester to test the strength of security. It is also crucial to test an organization’s incident response plan.
The Industrial Control Systems Cybersecurity Initiative
On July 28, the President issued a National Security Memorandum, establishing a new initiative and voluntary cybersecurity goals that clearly outline the expectations for owners and operators of critical infrastructure. Critical functions are defined as those that are so vital that their disruption, dysfunction, or corruption would debilitate US national security, the economy or the health and safety of the public.
The Memorandum announced the creation of the Industrial Control Systems Cybersecurity Initiative, which aims to help facilitate the deployment of cybersecurity systems and technologies that provide threat visibility and detection, and improves response capabilities for critical infrastructure. The initiative also helps to pave the way for the improved sharing of threat information between the federal government and industry.
Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives
In September, following up on the Memorandum, the Department of Homeland Security and the Department of Commerce released their preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives. These preliminary goals were developed in conjunction with the National Institute of Standards and Technology (NIST), and are set to be finalized after stakeholder consultation in the coming months.
There are nine categories of goals and specific objectives that represent the most essential cybersecurity best practices for both federal and private sector organizations. Two key elements included in this are Configuration and Change Management and Continuous Monitoring and Vulnerability Management.
The configuration management goal is critical because, through ensuring that new systems are deployed in a secure consistent state and maintain this state as changes are made throughout their lifecycles, this reduces the risk of security and compliance issues. An enhanced objective for this goal is conducting network baseline analysis to understand approved communication flows.
Continuous monitoring ensures that security controls, processes and procedures are in place and consistent. This goal instructs organizations to follow a schedule of pen testing, continuous monitoring, and vulnerability assessments, for which there are automated auditing tools to help. Monitoring from malicious activity and the implementation of anti-virus, anti-malware and anti-phishing technologies are also covered under this goal.
How were the goals and objectives identified?
A cross-sector approach was used in the development of these goals and objectives, with the Cybersecurity and Infrastructure Security Agency (CISA) working with NIST to review current control system resources and recommendations that have been produced by government and organizations within the private sector.
How can private sector organizations ensure they meet them?
The security of networks in the private sector and infrastructure stability has always been a concern for the government, with the current administration promising to take a more hardline stance on these matters. This was observed earlier this year following the massive data breach involving the communications giant T-Mobile, when a hacker claimed to have accessed over 30 million US customers’ sensitive personal data and offered to sell it for 6 bitcoin. The Federal Communications Commission (FCC) subsequently launched an investigation into the event.
As consumers become more aware of these security standards and objectives, they will expect more from the private sector, and expect those who fail to protect their data to be held accountable.
Section six of the new Cyber EO has given CISA the responsibility of creating a Standard Playbook for Responding to Cyber Incidents to validate incident response and remediation processes. The playbook will define new key terms, and private sector organizations should prepare for new official language and response patterns in the future.
As the T-Mobile data breach demonstrated, cyberattacks are an increasingly significant threat and prevention of attacks is key to ensuring organizational continuity. Auditing your organization’s core network devices regularly to detect network misconfigurations is needed to identify and remediate vulnerabilities. The Titania Nipper tool provides remediation advice and exact technical fixes for misconfigurations in firewalls, switches, and routers, automatically prioritizing risks and reducing the amount of time spent investigating false positives.
Nipper also provides an out-of-the-box ability to evidence compliance with trusted Risk Management Frameworks (RMF) and security standards, including NIST 800-171, DISA STIG, CMMC and PCI.
Get a free trial of Nipper to see how this auditing software can help you meet the necessary cybersecurity performance objectives and keep your network secure.
Government, academia, and industry – referred to by Dr. Ron Ross as the “essential partnership” – must continue to work together to deliver the EO’s outcomes and achieve common goals and objectives. Indeed, collaboration is foundational to this success and will be required to defeat today’s threats, which are well-funded and orchestrated by nation states.