On the heels of two of the largest hacks in United States history (SolarWinds and Microsoft Exchange Server), President Biden released an executive order on May 12th dealing with cybersecurity. Let’s dig into what’s in the order and how it could affect the nation’s cyber defense strategy.
The breakdown – Remove barriers to sharing information
IT contractors collect a vast amount of data every day for federal government agencies. Due to contractual obligations and restrictions, however, these agencies don’t share this data freely with each other. This can lead to knowledge gaps and situations where agencies can’t put together a complete picture of a threat. This executive order seeks to eliminate these knowledge gaps by amending service provider contracts and streamlining the information-sharing process.
AXEL Commentary: Since organizations are already collecting this data, ensuring a pipeline for sharing seems like a good idea. The caveat is that there were no specifics as to what is actually being collected daily. For example, are they tracking international or domestic actors? Both? Does it violate privacy or civil liberties? When you’re talking about the U.S. Government surveilling people under the guise of national security, the track record is spotty, to say the least.
Modernize federal cybersecurity
There are no reasons given why the current cybersecurity protocols are lagging, but let’s assume that the Administration is correct that the government isn’t on the cutting-edge of cyber defense. Of course, you’d hope this assumption wouldn’t apply to agencies dealing with crucial defense systems such as nuclear weapons, but…
The main priority of this section is to migrate federal computer systems to cloud-based options that integrate ‘Zero Trust Architecture.’ Zero Trust networks eliminate the concept of an ‘edge’ and require all users, whether they connect through a local or cloud-based node, to validate and provide the necessary credentials to maintain access.
AXEL Commentary: Zero Trust Architecture is an excellent idea in an ideal world. In reality, thus far, it’s proven to be little more than the go-to buzzword for IT department heads. The cost of updating legacy systems to the Zero Trust model would be prohibitive. The Administration is talking about updating all federal networks to this method. Knowing how slow government can be to upgrade, it seems infeasible that Zero Trust security can be implemented holistically any time in the near future. The technical difficulties combined with the eventual re-training efforts required would be enormous.
Solidify security throughout the software supply chain
As the recent hacks proved, federal agencies often rely on private third-party vendors for their software solutions. These solutions typically aren’t developed with cybersecurity as the main priority, leaving critical systems susceptible to attack. This order aims to incentivize organizations throughout the supply chain to harden their security systems.
AXEL Commentary: Again, it comes down to the question of practicality. The order prioritizes this initiative specifically for ‘critical systems, so the scope is at least somewhat limited. It certainly makes sense to ensure software providers for important systems prioritize security. The details for how this would actually play out are scarce, but there is some optimism that it can be accomplished.
Create a Cyber Safety Review Board
This order establishes the framework for a Cyber Safety Review Board. Members on the board would assess ‘significant cyber events’ taking place on national networks and recommend remediation procedures or tips for future prevention.
AXEL Commentary: Jokes about the unstoppable expansion of governmental bureaucracy aside, it’s surprising such a committee doesn’t already exist. Cyber-attacks have been a national security threat for decades, so you’d figure there would be a board that analyzes attacks, but evidently not. However, depending on the competence of those assigned to this committee, it could help with future incidents.
Standardize cyber incident response across agencies
The Administration wants to unify the response guidelines for federal agencies to provide a coherent interdepartmental plan. This would result in a more coordinated response with standardized incident logging procedures, making analysis and cooperation easier.
AXEL Commentary: Theoretically, this change could be beneficial. It depends on how different the systems of individual agencies are, however. If one department’s specific network requires a significantly different and more tailored response, making it a ‘one-size-fits-all’ situation could hamper remediation efforts. Unified logging procedures are a good idea in any case.
Improve vulnerability detection capabilities
0-day, or previously unknown, exploits are a common way hackers breach sensitive networks. The executive action looks to deploy more resources toward vulnerability detection.
AXEL Commentary: The specifics of the ‘how’ here aren’t detailed. Is the government going to employ teams of penetration testers who search out a systems’ weak points? Hopefully, because that’s the best way to find exploits. Of course, this assumes there are people in federal agencies that have the skills to tackle the task. If not, the lag between finding, clearing, hiring, and deploying the necessary white hat hackers could be considerable.
And, those are the main points of the executive action. There are a few other sections, but they piggyback and expand upon these goals. If you’d like to read the entire document for yourself, visit whitehouse.gov and do so. Let us know if you think we left out anything important! Overall, it’s an interesting plan that sounds great on paper. It’s hard to argue that the United States doesn’t need to overhaul its cybersecurity practices.
As always, the devil is in the details. How exactly will the plan’s implementation go? Will it be funded adequately? What problems will agencies run into along the way? Only time will tell, but we hope for a resounding success.
AXEL: Secure solutions for your organization
Most software products aren’t geared toward robust cybersecurity, and the United States government agrees. AXEL provides an alternate path that provides high-tech security without sacrificing usability. The secure, private file-sharing and cloud storage platform, AXEL Go, embodies this philosophy. Developed with integrated blockchain technology, InterPlanetary File System integration, and 256-bit encryption capabilities, AXEL Go is the best way to share and store files online safely. Try it out today and receive a 14-day free trial of our premium service. You’ll see how easy cybersecurity can be. So, stop waiting for a data breach and protect your organization with AXEL Go.