Risk Management
Ex-USSS CISO Explains Agencies' Struggle with Biden EO
Ed Cabrera, former CISO of the US Secret Service and current Chief Cybersecurity Officer for Trend Micro, explains why Federal agencies are slow to comply with Biden's cybersecurity executive order.
Multiple federal agencies and departments have "failed to fully comply" with key security practises stipulated in the 2021 Executive Order (EO) signed by President Biden. While progress has been made, it occurred at a pace much too slow for the White House, leaving the U.S. government vulnerable to state-backed and cybercriminal attacks.
The heightened risk of attack is a driver for Trend Micro's altruistic global threat intelligence sharing and consolidation of cybersecurity tools to improve visibility, efficiency, and reduce costs.
Let's dive deep into some of the key aspects that keep CISOs up at night and how threat intelligence and consolidation can streamline efforts to comply with the EO.
Overview of President Biden's Executive Order on Cybersecurity According to the factsheet published by the White House, the Executive Order addresses seven key points:
- Remove barriers to cyber threat information sharing between the government and the private sector
- Modernise and implement more robust cybersecurity standards in the Federal Government
- Improve software supply chain security
- Establish a Cybersecurity Safety Review Board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cybersecurity incidents on Federal Government networks
- Improve investigative and remediation capabilities
The Executive Order also set several deadlines for implementing Zero Trust architecture, multi-factor authentication, and deploying endpoint detection and response (EDR) initiatives.
Security challenges
Mastering the Art of Logs: There's truth to the adage: "Old habits die hard." Federal agencies often work on legacy systems that don't necessarily align with advanced logging practises. Bringing these systems up to modern standards poses both technological and logistical challenges. Additionally, the immense volume of data makes efficient encryption of logs a complicated affair. Beyond just the technology to achieve this, there's a need for sturdy systems that can bear the cryptographic load. The challenge continues; centralising access is akin to piecing together different puzzles. Integrating many data formats and sources into a unified platform demands significant coordination across departments.
Infrastructure Revamp for Zero Trust Architecture (ZTA): Transitioning to ZTA is comparable to reconstructing a home while still living inside. It mandates significant alterations, such as network segmentation, the introduction of new security controls, and constant monitoring. However, the shift isn't solely technological. On the human front, there's a monumental cultural shift awaiting. Staff must transition to a realm where trust isn't a given but is earned. Embracing this mindset calls for comprehensive training and behaviour modification. Additionally, the vigilant eyes required for constant monitoring under ZTA bring forth a set of resource and expertise demands that might surpass availability.
Piecing Together the Software Puzzle: Delving into the realm of federal software systems sometimes feels like an archaeological expedition. Some of these systems have historical significance, and breaking down each component is time-consuming, requiring specialised tools and immense patience. As the software landscape continually evolves, maintaining an up-to-date Software Bill of Materials (SBOM) becomes akin to pursuing a constantly moving target. Furthermore, as systems have grown, they've integrated many external components. Keeping track of these, particularly in the fast-paced world of software evolution, is a mammoth task.
Navigating the Resource Maze: The economic tug-of-war is evident. Every dollar channelled towards cybersecurity is one less for other vital projects. Thus, articulating the criticality of cybersecurity investments to decision-makers becomes an intricate dance of persuasion. The challenges continue beyond finances. The global race for cybersecurity talent has intensified, and for federal agencies, competing with the allure of private-sector compensations proves daunting. Add to this the renowned bureaucratic quagmire; lengthy government procurement processes turn the seemingly simple task of resource acquisition into an exercise in patience and tenacity.
Bridging Agency Islands: Collaboration between two agencies is riddled with pitfalls, especially when their technological maturity levels diverge significantly. The task is tantamount to choreographing a complex dance where each agency has its unique rhythm. Beyond technology, agency cultures, each with its idiosyncratic approach, must find harmony. And while collaboration is the endgame, it's not a carte blanche. Striking a balance between sharing essential information and ensuring data protection is a precarious endeavour akin to walking a tightrope.
Next steps
The longer federal agencies take to comply with the EO, the longer the U.S. government remains vulnerable to crippling cyberattacks. The path ahead is laden with anticipated and unforeseen challenges, but choosing a vendor like Trend Micro, with a proven track record of innovation and industry-leading global threat intelligence, can alleviate the burden while expediting compliance with the directive.