Biden Administration Signs Executive Order Aimed at Hardening Fed Cybersecurity Defenses
The News: The Biden administration signed an executive order on Wednesday, May 12, 2020 aimed at hardening the Federal government’s cybersecurity defenses following the Colonial Pipeline hack. More at CNBC.
Biden Administration Signs Executive Order Aimed at Hardening Fed Cybersecurity Defenses
Analyst Take: The executive order signed by President Biden directs the Commerce Department to create new standards for software vendors supplying the federal government. While this executive order immediately followed the Colonial Pipeline ransomware attack and the fallout from that, no doubt the recent SolarWinds attack, along with the Microsoft Exchange server attacks play a role in the government stepping in.
The Executive Order addresses the fact that the incremental improvements that have heretofore been made along the way are not effective at providing the security the Federal government needs and that “bold changes and significant investments” are needed to defend the many institutions that are a necessary part of American life. It finally seems clear that cybersecurity is and must be a top priority for the Federal government and, more importantly, that the Feds intend to lead by example as it relates to standards and requirements.
Under the executive order, the standard for software vendors supplying to the federal government will essentially be a rating system that mandates multi-factor user verification to new technology, and also requires added encryption.
Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA) remarked on this in a podcast on CBS this last week saying that this action by Biden is a “dramatic game change” and showed a commitment by the administration of prioritizing cybersecurity concerns. He also mentioned that establishing these kinds of standards will have a “cascading effect” for products sold to others, not only impacting government entities.
Now is a great time to be in the business of selling solutions that provide enhanced security, like IBM’s Confidential Computing and AWS’s Nitro Enclave, both of which we’ve written about before here.
This order establishes a Cybersecurity Safety Review Board that is modeled after the National Transportation Safety Board and which includes members from both private and public sectors. Equally as important, it also clearly shows the administration’s intent to move the federal government to cloud systems that are more secure.
My colleague Fred McClimans and I covered this Executive Order in our Cybersecurity Shorts series of the Futurum Tech Webcast this last week. You’ll find our discussion on that topic here:
Or you can see the full episode here:
You can find the full text of the Executive Order on Improving the Nation’s Cybersecurity here.
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
More Insights from Futurum Research:
AWS Nitro Enclaves: The AWS Answer For Trusted Execution Environments
The Rise Of Confidential Computing – Trust: The New Battlefield In The Age Of Digital Transformation
Cybersecurity Shorts – Colonial Pipeline Attack, DarkSide’s Ransomware-As-A-Service, Executive Order Hardening Fed Cybersecurity Defenses
Shelly Kramer: We’ll move on from that, to just touch briefly on the Biden Administration signing an executive order that is aimed at hardening federal cybersecurity defenses. Much needed, right? This executive order was signed on Wednesday, and it directs the Commerce Department to create new standards for software vendors wanting to do business or supplying the Federal Government in any way. And, these standards will essentially be a rating system, and it mandates multi-factor user verification to new technology, adds some required encryption. This is modeled after the National Transportation Safety Board, this new Cybersecurity Safety Review Board. And, it includes members from both the public and the private sector, and it shows the intent to moving the Federal Government to Cloud systems that are more secure, and certainly a much needed step.
There’s much more ahead that we have to do, but I think this is an important move by the current administration. Chris Krebs, whose name we hear a lot and talk about a lot, the former Director of the Cybersecurity and Infrastructure Security Agency, was on a podcast on CBS earlier this week. And, he was saying that, “This move by the administration is a dramatic game-changer, and it showed a commitment by the administration of prioritizing cybersecurity concerns, which we very much need.” And, he also mentioned that he, “Felt like this process of standardizing systems would have a cascading effect for products that were sold to others.” So, for instance, if because you’re doing business with the Federal Government, you’re required to have certain things in place with regard to the software that you sell, then those protections will cascade down to other entities beyond the Government. So, that’s a good thing.
Fred McClimans: I think it’s a very good move, yes. And, definitely needed, considering the lack of guidance and coordination that we have between companies that are out there. We’ve kind of moved into the digital age with this, “Do it now, ask later”, kind of mentality, “Put it out there, we’ll secure it later”. As we know…
Shelly Kramer: We’ll secure it later, after something bad happens and we get caught.
Fred McClimans: … It doesn’t work. It clearly doesn’t work. And, we’ve seen that in our own research as well, where organizations… In fact, we did a study on customer service and customer experiences back in 2020. This was with about 2000 global brands, we asked the question, “Do you ever implement technology knowing it’s not quite secure, but pushing it out there because you need to get into the market?”
Shelly Kramer: I hated that answer.
Fred McClimans: Yeah, it was surprising. They actually said, “Yeah, we occasionally might do that”, and that’s a mentality that just has to change. It’s got to be a privacy first mentality. If nothing else, if the administration can put something in place that starts to put some teeth behind that, that would be definitely a positive thing. But, we’ve got a ways to go here on that.
Shelly Kramer: We do. And, we’ve talked in other shows in this series about some other proposed legislation about requiring notification of breaches. The problem is that these things happen and companies are quiet about it. Colonial didn’t have a choice not to be quiet about it, but a lot of companies don’t say anything about it, and so then you don’t know about it. There’s pros and cons to required reporting, but…
And, we talk about this all the time, security has to be foundational in everything that every organization does, and we’re not there yet. So, hopefully these kinds of things that are happening, and the fact that these incidences are just speeding up so much… I have some data in front of me that I was writing a separate post about, I wasn’t going to cover this here, but I think it’s interesting to know that BitDefender, a cybersecurity firm, said that in 2020 there was an increase of 485 registered attacks in 2019. And, those are the ones we know about.
Data from SonicWall shows that ransomware attacks rose more than 60% to 305 million, with 3.8 million encrypted threats, 4.8 trillion intrusion attempts, 5.6 billion malware attacks, 56.9 million IoT malware attacks. Those numbers.
Fred McClimans: Staggering.
Shelly Kramer: Those numbers are staggering. So, it is not a matter of if you will be hacked, it is a matter of when you will be hacked. And, we touch on this all the time, in terms of the importance of the security operations centers and dashboards, and working with vendor partners that can help provide those cybersecurity services. They’re out there. People need to be using them.
Fred McClimans: Yeah. It is good to see the administration moving forward, and hopefully that can be turned into a global effort that spans Government and private sector. I really hate that phrase, “Public-private partnership”. It’s not really a partnership, they just need to think together on this and be a bit more proactive. Including, going after some of these threat actors, which is the case with DarkSide, they are being pursued by somebody out there, and we’ll talk about that as well in the later segment here.
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”