The News: Last week the President Biden met with the CEOs of the likes of Microsoft, Amazon, Google, Apple, and IBM, among others to stress the importance of cybersecurity to the nation’s interests and to seek collaboration with the private sector to combat the cyberattacks that are becoming an almost daily occurrence. Read more at Reuters.
Biden Administration Appeals to Big Tech to Raise the Bar on Cybersecurity
Analyst Take: In good news on the cybersecurity front, the Biden Administration met with Big Tech leaders in Washington, D.C. last week, asking for help in raising the bar on cybersecurity stating “The federal government can’t meet this challenge alone. You have the power, the capacity, and the responsibility, I believe, to raise the bar on cybersecurity.”
The meetings on Capitol Hill last week relate directly back to President Biden’s Executive Order dated May 12th full details of which can be found here. Against a backdrop of the increased frequency and spiraling scale of attacks, oftentimes carried out by hostile nation states, President Biden had no option but to step in.
The Executive Order is hard reading and focuses on compelling government departments and agencies to provide reports back to the Executive Branch within set time frames rather than actually spelling out the tasks needed to be completed, but it is a step in the right direction. The meetings last week came on the back of a sustained effort by the Biden administration to solicit information sharing from private stakeholders, following cyberattacks. Over the last few months, lawmakers have struggled with questions over whether to mandate reporting for private companies targeted by ransomware attacks.
Only last month, a bipartisan group of senators — including Senators Susan Collins (R-ME), Mark Warner (D-Va), and Marco Rubio (R-FL) — introduced a cyber bill that, if passed, would require federal contractors and operators of critical infrastructure to disclose cyber intrusions within 24 hours. Senator Collins has long been trying to make progress in this domain and proposed a largely similar bill in 2012.
Talking about the journey of the proposed bill, the Senator from Maine stated “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass the Cyber Incident Notification Act of 2021, which is common sense and long overdue.”
The recognition that the government cannot secure not only its own systems, but those of its key suppliers and ultimately its citizens on its own is also encouraging. While the government has huge resources, in most cases the government and its various departments and agencies are consumers of technology created by big corporations. So, while the government can set guidelines, and does through the likes of NIST (National Institute of Standards and Technology), it will need the help of Big Tech in order to be successful.
This is Where Zero Trust Goes Prime Time
And now, what I believe we’re going to see moving forward is Zero Trust going prime time, which is a very good thing. The first mentions of Zero Trust architectures date back to as early as 1994 in academia and have tracked a slow path of progression to more widespread adoption in the last couple of years, with NIST publishing a set of guidelines in 2020.
Fundamentally, the Zero Trust Architecture approach works on the premise that with the proliferation of cloud computing, be that on premises, in the public cloud or in a hybrid model, rampant mobile device usage, and an explosion of connected smart IoT devices, the traditional network boundary concept is no more. The design approach of Zero Trust architecture is that securing or hardening the physical network from bad actors is no longer sufficient. By architecting the deployment of IT systems to ensure that no person, device, or network enjoys inherent trust, then overall security posture can be improved in a perimeter less world.
The language in President Biden’s Executive Order explicitly calls out Zero Trust Architecture as mandate:
The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
While the clarity of approach is to be applauded by the Biden Administration, the downside is that we can now be certain that IT vendor marketing executives around the globe will be scrambling to create assets and collateral that positions the company’s credentials as a provider of Zero Trust solutions — which may or may not actually be the case.
Looking Ahead: Government/Industry Partnerships, Focus on Zero Trust, Open Source and CI/CD Pipelines, and Changes Needed Ahead
It is vitally important that government and industry work together to develop and deploy solutions for both government and private sector employees to access systems in a highly secure manner. Against the backdrop of attacks such as the SolarWinds attack and the more recent Kaseya attack where bad actors used access to the production environment to compromise dozens of outside entities, many of whom were government entities, the threat to national security is obvious.
The U.S. government must do more than offer guidelines and a timetable for inter-department reporting and seek to actively encourage adoption of Zero Trust guidelines and reference architecture implementation through how projects and grants are awarded. This will be a multi-year effort and while the Biden administration is taking a vital first step with the Executive Order and compelling Big Tech to attend meetings, success cannot be declared too early and in the interim more preventable hacks will happen.
As to be expected, the vendors that attended the meetings in Washington last week are already falling over themselves to be on the side of the government with pledges of investment in everything from skills programs to infrastructure investments. Many of these vendors are in the crosshairs of the administration right now over antitrust, and we’ll be watching closely in the months ahead for tangible investment beyond the virtue-signaling pledges we have seen since the meetings last week.
As the dust continues to settle following the SolarWinds and Kaseya attacks, the software world gains a deeper understanding of the implications and ramifications of supply chain attacks. As software development models change, micro-services and serverless models become more prevalent, the use of open source software has increased. While this trend is accelerating, and rightly so, various supply chain attacks have increased focus on terms such as attestation and the need for code to transition through a Continuous Integration/Continuous Developed (CI/CD) pipeline with trust and proof of provenance at every step. As more software development makes use of open source software, including software incorporated in many aspects of critical infrastructure and national security architectures, the need for a formal requirement or standard for maintaining the security of open source software will become more apparent. Most of the work that is done to enhance the security of open source software, including fixing known vulnerabilities, is done on an ad hoc basis today and this needs to change.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.