The threat of cyberattack is clearly increasing. This increase signals the need for a broader strategy involving both the public and private sectors. For public sector organizations, partnering with the private sector can aid with defending agency IT infrastructure and environment and provide a roadmap for how the private and public sectors can effectively join forces.
It’s important to recognize the value in the industry embracing a collective defense approach. The threat is becoming too large to continue to treat cybersecurity as an “everyone for themselves” job. The Executive Order on Federal Cybersecurity—signed May 12 of this year—is an important step toward achieving a collective defense posture.
To break it down, the executive order has seven primary objectives:
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector by requiring IT service providers to share certain breach information with the government.
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government by encouraging federal agencies to move more quickly to secure cloud services and adopt a zero-trust security architecture.
- Improve Software Supply Chain Security by establishing baseline security standards for software sold to the government.
- Establish a Cybersecurity Safety Review Board modeled after the National Transportation Safety Board.
- Create a Standard Playbook for Responding to Cyber Incidents, which can also be used by the private sector.
- Improve Detection of Cybersecurity Incidents on Federal Government Networks by creating a government-wide endpoint detection and response system.
- Improve Investigative and Remediation Capabilities by establishing cybersecurity event log requirements for federal agencies.
Three of these are recommendations agencies can jump on immediately without explicit federal specifications or guidance.
For example, the goal of objective #2—Modernize and Implement Stronger Cybersecurity Standards in the Federal Government—is to help move the federal government more quickly to secure cloud services and to adopt a zero-trust security architecture across the board. This mandates the deployment of multi-factor authentication and encryption within a specific time.
A zero-trust security model, specifically, should replace existing models currently placing inherent trust in the validity and identity of a particular user. Instead, all users and their actions should be considered untrustworthy by design. Your agency can start by disallowing access from unknown locations and highly restricting access outside of general working hours. Next, consider extending zero trust to data storage. Finally, data in transit and data at rest should be encrypted to ensure an attacker can’t bypass authentication and be presented with unencrypted data for review or download.
Objective #3, Improve Software Supply Chain Security, starts by aiming to establish baseline security standards for software sold to the government and calls for making security data publicly available. It also helps create a public-private process to develop more effective approaches to secure software development. Finally, it creates a pilot program to create an “Energy Star” type of label to quickly identify software developed securely.
Today, software—especially proprietary software—is sold with little accompanying information about, for example, how was it constructed, what languages/technologies were used, what types of security testing were performed, etc. As a purchasing entity, the federal government has the power to drive the market to build security into software development and maintenance processes and provide evidence of these processes to purchasers. One example is the “Software Bill of Materials” (SBOM), an initiative by the National Telecommunications and Information Administration (NTIA) specifying software will ship with a component inventory. Another initiative is the push for software labeling based on secure development processes, which include security testing throughout the software development life cycle. A third is automated security updates of software libraries and software components across this life cycle.
Objective #7, Improve Investigative and Remediation Capabilities, has a goal of establishing cybersecurity event log requirements for federal agencies to help enhance organizations’ ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact.
Poor logging practices can limit fast incident recovery and hinder investigative actions by agency and law enforcement personnel. To meet the new mandate, your agency’s logs must be sufficient to support post-incident response, and they may be requested by external investigative entities such as the DHS Director of CISA and the FBI. To help meet the mandate more effectively, be sure to retain logs for an extended duration and implement protection mechanisms such as encryption—supported by cryptographic hashes—to ensure the integrity of this log data across the retention period.
Together, public and private sector establishments can collectively improve how agencies prevent, manage, and remediate threats and operations in the future. To establish successful public-private partnerships, there must be increased collaboration and coordination across the IT industry—and between those responsible for preventing incidents.
The executive order sets forth a roadmap for government vendors to do this. At SolarWinds, we appreciate the efforts of this administration, Congress, and other government authorities to elevate the importance of this issue by taking concrete steps to address and deter these threats moving forward.
Brandon Shopp is Group Vice President, Product, at SolarWinds and a regular contributor to Government Technology Insider.