USA: Executive Order on Improving the Nation's Cybersecurity: What's different this time?
"The art of [cyber] war is of vital importance to the State. It is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no account be neglected." - Sun Tzu. On Wednesday, 12 May 2021, the Biden Administration issued an Executive Order on Improving the Nation's Cybersecurity. The fact sheet lists '...SolarWinds, Microsoft Exchange, and the Colonial Pipeline...'1 as recent motivations. Alex Sharpe, Principal at Sharpe Management Consulting LLC, takes a look at the historical context behind the Executive Order and some of its key proposals.
Many of us cyber professionals who had operated in this space before it became popular saw the Ghosts of Christmas past. Still, we remain optimistic it may take hold this time, and the private sector's impact may not be significant. Let's march through a bit of history and talk about why it might stick this time. Along the way, we will talk about some practical implementation realities.
What's old is new again
23 years ago, almost to the day, President Clinton signed a very similar order Presidential Decision Directive 63 ('PDD63')2 supporting Executive Order 13010 - Critical Infrastructure Protection issued about two years before in July 19963.
At first blush, they look very much alike, talking about the threat, the need for private / public partnerships, and protecting critical infrastructure. Looking a bit deeper, the latest Executive Order builds upon what has evolved by further reducing barriers to information sharing, mandating the deployment of crucial technology like multi-factor authentication ('MFA') in the Federal Government, establishing a Cybersecurity Safety Review Board modelled after the National Transportation Safety Board ('NTSB'), creating a standardised playbook for responding to 'cyber incidents', and the implementation of something akin to an 'energy star' label.
This Executive Order places greater emphasis on the digital supply chain and, while not explicitly stated, third-party risk management ('TPRM').
It also mandates government agencies to implement controls the US Government and regulators previously required on private organisations like MFA and data encryption.
The difference may be a combination of appetite, economics, and precedence.
Looking across sectors, we have the appetite, and the awareness exists. Cybersecurity has become a board conversation. It is a business risk to be managed. It is part of the daily news. The average person at least recognises the concept.
With all of the potential infrastructure legislation in play, the investment could quickly become available to fund much of what is required. Prior EOs and legislation were criticised for not being funded.
We have a precedent that can quickly become the template. The US Department of Defense ('DoD') created the Cybersecurity Maturity Model Certification ('CMMC'). In short, it expands NIST 171 and mandates certification by third-party auditors. It has teeth by prohibiting contractors from being awarded contracts without being certified. CMMC also demonstrates that Congress has the appetite to amend policy and legislation to improve our cybersecurity posture. Why not roll it out across ALL Government? Why not work with regulators and the like to do something similar for everyone they oversee (e.g. public utilities)?
The 'Energy Star' concept is not new. All the way back to the 'Orange Book' from the 80s4. Today we have FedRAMP, CMMI, and private sector efforts like the Cloud Security Alliance ('CSA')5. Each provides a graded level of security based on the criticality of the data and the services provided. Following those models, the 'Energy Star' labels could be graded by the criticality of the data, the type of service offered, and the systemic risk presented. For example, a cloud provider holding the intellectual property of 100s of customers would have a different set of requirements (and scrutiny) than a five-person DoD contractor only handling Federal Contract Information ('FCI')6. There is lots of lessons to be leveraged from the third-party attestations like Service Organization Control ('SOC') reports7.
Small and medium-sized businesses ('SMB') often do not have the internal expertise or the budget. An 'Energy Star' rating system, if implemented correctly, could be the offset. Since most larger companies actively engage SMBs, it would help their TPRM while strengthening the digital supply chain.
Carrot and stick
Let's face it, many businesses and parts of our critical infrastructure will do the right thing because it makes sense for their business, their clients, or to be patriotic. A smaller percentage will not, because they do not have the skills, they cannot justify the cost and lack of awareness.
Suppose we are serious about protecting our critical infrastructure. In that case, we need to create a series of checks and balances with accountability showing clear rewards for those who comply and clear downsides for those who do not.
Government can take lessons from the private sector playbook and the regulators. Governance Risk Management & Compliance ('GRC') is a widely accepted framework providing multiple layers of defence in technical controls and process and enforcement. The key to GRC is the separation of those implement and those who assess. Those who audit are different from those who assess or implement.
One of my colleagues, John Callahan, has a very memorable way of reminding us that tools and products alone are not enough: "We need better gunslingers, not better guns."
Why do investors put more trust in audited financials than they do in a company's pro forma financials? Simple: audited financials have been reviewed by an independent third party who does not have a conflict of interest. Auditors can go out of business if it is perceived they are not independent. Does our cybersecurity not warrant the same level of rigour? The cybersecurity self-certification the US Government has relied on clearly has not worked.
Private institutions share information as required by law while also actively sharing with business parties, counterparties, and the like because it makes good business sense. They are often reluctant to share information with government and law enforcement because they do not see the value and, unfortunately, question how it will be used. Even when they want to share, they do not know whom to share it with or how.
Let's hope we can consolidate the reporting requirements that already exist. Not just create a new set. Every state, every regulator, and every insurance policy have its own reporting requirements.
Why are private / partnerships so important?
The answer is pretty simple when you start digging through the role of each. Net-net, we need each other.
Let's not forget, here in the West, there is a clear separation between the private and public sectors. Often in other countries, what we know as the private sector is not so private. It is not unusual to have a relationship with the military and the intelligence community. Even when the connection is not so direct, the hackers have a haven where local law enforcement is not motivated to shut them down.
Government has the best grasp of the threats, capabilities, and willingness of those who wish to harm us. They have a broader view across sectors and geography. Government has the ability to marshal resources across sectors, geographies, and our allies. Government has the greatest enforcement mechanisms (e.g. regulations and legislation). The Government also carries the biggest stick. Government can flex its muscle in ways the private sector cannot. They will take notice of sanctions by the US Government and our allies.
The private sector are the feet on the street and the innovators. They are our eyes and ears. We need them to keep us abreast of what they are experiencing and how they are responding. The private sector implements the controls. We also need the private sector to innovate and progress state of the art.
Alex Sharpe Principal
Sharpe Management Consulting LLC
1. Fact Sheet, The White House, available at: https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/
3. Homeland Security Digital Library