On May 12, 2021, the Biden Administration issued its much anticipated Executive Order (EO) on Improving the Nation’s Cybersecurity.
The order was issued in response to a recent spate of software supply chain and cyber breaches such as SolarWinds, Codecov, Dependency Confusion, Microsoft Exchange, and Colonial Pipeline. These all remind us that US public and private entities face increasingly hostile activity from highly sophisticated adversaries.
Understanding the EO from a technical perspective is a complicated exercise that encompasses a wide variety of motives, attack vectors, engineering concepts, and rapidly evolving defensive strategies. Fortunately, understanding the EO from a human perspective, however, is really quite simple. In fact, everything you need to know about it, you probably learned in kindergarten.
Allow me to explain. In its simplest form, the EO provides the following directives:
Learn to Share.
In kindergarten, if you witnessed bad activity, you were encouraged to inform the teacher and share information. Similarly, the EO ensures that IT service providers are able to share information with the government and it requires them to divulge certain breach information as soon as possible. In the past, IT service providers would often hesitate to volunteer details about a compromise. There are many nuanced reasons for this, just like there were reasons why you didn’t always tell the teacher when you saw something bad happen in kindergarten.
But here’s the bottom-line: in kindergarten kids are expected to share information to help keep the classroom calm. They’re also encouraged to say they’re sorry when they hurt somebody and clean up their own messes. And now, as a result of the EO, IT vendors will be expected to clean up after themselves and say they’re sorry by sharing sensitive, clear information and rapidly notify officials when breaches occur.
Wash Your Hands Before You Eat.
Just because you took a shower before school, doesn’t mean your hands are clean at lunch time. In kindergarten, with constant reminders from our teachers, we learned the importance of “zero trust” hygiene and regular hand washing. The EO itself is like a teacher constantly instructing technology providers on the importance of zero-trust security practices. “Always wash your hands” is the same guidance as “always use multi-factor authentication” and “always encrypt your data in motion and at rest.”
Know What You’re Eating, and Eat Healthy.
The FDA food label first appeared in 1994 and was designed to provide students, parents, and kindergarten teachers everywhere with important nutritional information about the calories we consume to fuel our activities, including a full list of every ingredient. The EO is similar in that it establishes baseline security standards and states that all software sold to the government should come equipped with a software bill of materials (SBOM), which is a full ingredient list of every component in that software. The purpose of an SBOM is to maximize transparency with respect to the digital ingredients (both 3rd party open source code and 1st party source code) that comprise the applications which feed government employees and operators. Too much software, including mission critical software, is shipped with known vulnerabilities that get exploited by bad actors.
As stated in the White House fact sheet, “this has been a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.” In order to do this, we need transparency in software. To get transparency in software, we need all applications to come equipped with a detailed SBOM.
Learn from Your Mistakes.
If you make a mistake, learn from it, and do not repeat it. Too often IT organizations, like kindergartners, repeat the mistakes of the past and fail to learn valuable lessons. When something really bad happens (at school or in cybersecurity) concerned constituents must come together and ask hard questions to prevent the same mistake from happening again. Similar to a school safety committee designed to prevent recurring playground injuries, the EO establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads. This board will convene in the wake of serious breaches to analyze what happened, and make concrete recommendations for preventing identical breaches from happening again.
Have a Plan in Case of Fire.
You never know when an emergency will strike. It’s important to develop and practice a standardized plan so you can respond efficiently when trouble occurs! The EO creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Just like Kindergartners cannot wait for an actual fire emergency to figure out how to exit the building safely, government agencies cannot wait until they are breached to figure out how to respond to an attack. The EO will create an incident response playbook that will ensure all Federal agencies meet a defined threshold and are prepared to take uniform steps to identify and mitigate cyber threats.
Hallway Monitors Help Improve Safety.
Just imagine being the principal of an elementary school. Hall monitors served as an extra set of trusted eyes and made it possible to maximize safety for the benefit of the entire community. The Executive Order itself establishes a “digital hall monitor” to improve the ability of the government to detect malicious cyber activity on all federal networks. Specifically, these digital hall monitors will observe government-wide endpoint detection and facilitate information sharing between Federal agencies for the benefit of our national cyber defenses.
Simply put, secure development and protecting our nation's software doesn’t need to be rocket science. Sure, we can debate the nuances of how everything in the EO gets implemented. But, with a little bit of kindergarten ingenuity, we’ll get to a better place and collectively improve our nation's cyber defense.