On May 12, 2021, the Biden White House released an Executive Order focused on cybersecurity that it hopes will make significant strides in addressing one of the largest challenges that many of today’s federal government agencies and military organizations are facing – defending government data and networks from increasingly sophisticated and persistent cyberattacks. And this Executive Order couldn’t come at a better time. While the Executive Order wasn’t a direct result of this incident, it was released just days after the ransomware attack against the Colonial Pipeline Company. That attack against a vital part of America’s critical energy supply chain could have been one of the most impactful cyberattacks that our nation has experienced in the past decade. While the attack didn’t expose the personally identifiable information (PII) of a massive amount of Americans like the Experian data breach that impacted 24 million customers, it had ramifications that reverberated across the entire east coast. With the Colonial Pipeline Company shut down as a result of the ransomware attack, Americans foolishly began hoarding gas, creating a gas shortage in multiple east coast states that lasted a number of days. DEDICATING AN ENTIRE SECTION OF THE EXECUTIVE ORDER TO SECURING THE SOFTWARE SUPPLY CHAIN IS SOMETHING THAT I APPLAUD SINCE INSECURE, VULNERABLE SOFTWARE IS SUCH A RISK FOR OUR GOVERNMENT – ESPECIALLY AT A TIME OF DIGITAL TRANSFORMATION, WHEN SOFTWARE IS STARTING TO PLAY AN OUTSIZED ROLE IN AGENCY OPERATIONS. That attack – coupled with the SolarWinds attack in 2020 that may have resulted in upwards of ten government agencies being breached – illustrate just how imperative it is to protect critical infrastructure and government agencies from cyberattacks today. And the Executive Order could make great strides in helping government organizations better prepare and protect themselves from a threat landscape that is getting bolder and better equipped with each successful breach. Let’s look at some of the provisions in the Executive Order and what they mean for government agencies.
A mandate to share data and innovateThe Executive Order is quite large and far-reaching – attempting to cover multiple large issues and challenges that the government is currently facing in network and data security. Each section of the Executive Order lays out desired changes and new initiatives for government agencies to take in an attempt to better control who is on their networks, more quickly identify malicious activity, and more effectively share breach data and information across agencies and with private sector partners. The Executive Order works to make changes in the government’s contracts and agreements with private sector IT service providers. These changes are intended to increase information sharing and ensure that the government and its industry partners are disclosing breach information early on to ensure that every organization involved is aware of potential threats and can take preventative steps to protect their networks. In Section Three of the Executive Order, government agencies are encouraged to embrace secure cloud solutions. The CISA and OMB are also tasked with developing secure cloud adoption practices and guidelines and a federal cloud security strategy, respectively. But the cloud isn’t the only new technology that the Executive Order advocates for within the government. It also encourages agencies to begin embracing a Zero Trust approach to network security and multi-factor authentication for identity management. However, what I find most exciting among the provisions of the Executive Order is the entire section dedicated to securing the application and software supply chain.
Securing the software supply chainVulnerabilities in the application layer remain some of the most exploited in cyberattacks across all sectors and industries. This means taking steps to advance the secure development of applications within the government – and by those that make applications for the government – can go a long way towards protecting agencies and their data from malicious actors. Dedicating an entire section of the Executive Order to securing the software supply chain is something that I applaud since insecure, vulnerable software is such a risk for our government – especially at a time of digital transformation, when software is starting to play an outsized role in agency operations. And, at Checkmarx, AppSec and developing secure software is something that we take very seriously. However, the Executive Order, itself, doesn’t directly mandate any government organizations to take any actions to secure their software development lifecycle or software supply chain. Rather, it directs the Secretary of Commerce and the Director of NIST to, “…solicit input from the federal government, private sector, academia, and other appropriate actors to…issue guidance identifying practices that enhance the security of the software supply chain.” The Executive Order instructs the Secretary of Commerce and the Director of NIST to include criteria in that guidance regarding:
- Employing automated tools, or comparable processes, to maintain trusted source code supply chains
- Employing automated tools, or comparable processes, that check for vulnerabilities and remediate them
- Maintaining accurate and up-to-date data, the provenance of software code or components, and controls on internal and third-party software components
- Providing purchasers a Software Bill of Materials (SBOM) for each product