Why everyone should care about the Executive Order on Improving the Nation’s Cybersecurity
In May 2021, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity” (“Executive Order” or “Order”).
The Order outlines mechanisms through which the U.S. federal government should ensure that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” Everyone should care because the Order is important to national security, but everyone should also care because its impact will soon be felt by any entity regulated by any regulator.
While the Order speaks to improving the federal government’s own cybersecurity standards, it endorses certain essential best practices that any organization should view as the coming baseline for “reasonable” cybersecurity. Rest assured that it will become more and more difficult to decline to adopt such practices in the face of federal regulators that have read the Order. This is good news for security functions that need precious corporate resources, because the Order addresses many of the concerns raised by recent cyberattacks such as those impacting US Colonial Pipeline, SolarWinds, and Microsoft Exchange.
More importantly, the Order is not simply a whack-a-mole effort to address known attack vectors, it reflects an evolved understanding of what a “computer network” means in the context of cybersecurity. For legal and compliance professionals, understanding the technology is critical to understanding whether an organization has “reasonable security.” Below are some key takeaways regarding cybersecurity best practices that every organization should consider.
Although the Order primarily relates to standards the federal government will require of its vendors, there are certain best practices that the federal government considers necessary to a reasonable cybersecurity program:
Have an effective third-party risk program. In its efforts to modernize its own cybersecurity posture, the federal government recognizes that no network is an island, and rightly focuses heavily on how it can manage third-party risk. The Order itself highlights the following best practices as crucial:
- Standardizing your organization’s vendor requirements regarding cybersecurity, and requiring them by contract;
- Identifying the types of incidents and information that require reporting based on an assessment as to what your organization needs to effectively respond to and learn from a cybersecurity incident, and requiring them by contract;
- Identifying the types of information your vendors need to collect for effective incident response, and requiring that collection by contract;
- Identifying the relevant privacy-related controls that need to be in place, and requiring them by contract;
- Identifying the necessary cooperation and collaboration required from a vendor in the event of a potential or actual cybersecurity incident, and requiring it by contract; and
- For now, at least think about how you can mitigate software supply chain issues.
Unify your vulnerability and incident response plans and procedures. The Order recognizes that federal government agencies must standardize response plans and processes across agencies to ensure more coordination and better tracking of vulnerabilities and incidents. While some large corporate enterprises may have harmonized across all business units, years of mergers or expansion could easily lead to federated models or silos. These can be truly devastating for incident response.
Reexamine your logging requirements with incident response and remediation in mind. One of the dirty little secrets about logging is that it is arbitrary. Owners of network infrastructure and application code ultimately determine what types of information are “logged” within its environment. The Order recognizes that robust logging is required to look at a cyber incident and have the visibility to understand it, stop it, and learn from it. Accordingly, understanding whether your organization’s logging practices, standards, or procedures—both at the infrastructure and application levels—are sufficient for forensic incident response is important. As an added bonus for privacy officers and attorneys trying to understand whether an incident requires notification, such logging can often tell you whether particular records have been viewed, accessed, or stolen by a malicious attacker. Without sufficient logging, you may have to presume access to specific data based on access to a system, without having evidence one way or the other. Also, test your logging to ensure you are actually logging what you intend to. Chances are alarmingly high that there are glitches that could be embarrassing in an incident response.
Employ proactive “threat hunting” techniques. Long gone is the assumption that an organization can simply rely on perimeter defenses. The Order recognizes the fundamental mantra of any good cybersecurity program, which is to assume a breach. Once you assume your wall is not always effective, then the natural response to the risk of being attacked is to actively look for those threats within your “network” to identify and contain them before significant damage is done.
Employ endpoint detection and response (EDR) capabilities. EDR capabilities represent the ability for software to monitor user devices and, employing various data-analytic techniques, allows for automated response and isolation techniques as required. While EDR is not a panacea, the federal government has recognized that organizations managing a large number of devices truly needs such capabilities. This recommendation also recognizes modern thinking when it comes to cybersecurity. Rather than assume you can build a wall that prevents anyone from getting in, also have the visibility and response capabilities that assume someone will breach that wall, but will allow you to respond and contain the situation before any real damage is done.
Employ zero trust principles. What is zero trust architecture? At its most basic level, it is network architecture that recognizes that networks are not static things protected by “walls.” How do you know when you are dealing with a traditional approach versus zero trust? In a more traditional approach to network architecture, access to a particular set of data or functionality is premised on the fact that the user (or service) account accessing it was at some point “authenticated into the network.” In zero trust architecture, authentication into a network is not really the point, the question of whether an account is entitled to access a resource is premised on all sorts of factors (for example, is this an account that just logged in from across the world a second ago?) that raise or decrease the risk associated with authorizing the transaction.
Although the Order applies to the federal government and its various vendors and service providers, it reflects some incredibly important best practices. If your organization has a fully matured cybersecurity program with regular assessments, it is important to keep these best practices and principles in mind when evaluating risk. If your organization has not done one already, consider a full cybersecurity risk assessment that accounts for the full panoply of best practices and solutions available to mitigate legal and business risk. This can provide both the technical teams and senior management with a roadmap of security items to address, and the right framework for truly understanding its current cybersecurity posture.
By Erez Liebermann, Andrew Pak, Caitlin Potratz Metcalf and Kunal Kanodia