A spate of recent troubling network breaches show that the nation’s overall approach to cybersecurity is lacking and the nation needs to immediately put more emphasis on preventing cyber-attacks than be in incident response mode, a senior administration official said Wednesday evening just ahead of a White House release of a sweeping executive order that aims to dramatically improve the cyber defenses of the federal government while also leveraging its capacity to drive changes in the private sector’s cybersecurity efforts.
“These incidents share a few things in common,” the official told reporters during a background call. “First, a laissez-faire attitude towards cybersecurity. For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort and money. And instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let ‘waiting for the next incident to happen’ be the status quo under which we operate.”
Another common trait in the attacks involving SolarWinds [SWI], Microsoft [MSFT] and Colonial Pipeline “is poor software security,” with security essentially an afterthought in the development process despite its uses on “some of our most critical systems and infrastructure,” the official said.
The official’s comments on lax cyber security practices were echoed on Thursday by Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA).
“In almost all cases, basic cyber security practices would stop the vast majority of the kind of incidents that affect local communities and that affect people’s lives in the most direct way,” Wales told reporters during a virtual Defense Writers Group meeting.
Asked specifically about the ransomware attack on East Coast fuel pipeline operator Colonial Pipeline that forced the company to shut down operations for several days, Wales replied that “ransomware operators are not using zero-day vulnerabilities to compromise networks.” If companies do “the bare minimum” to reach a “baseline level of cybersecurity,” they will usually protect themselves from the most common attacks, he added.
The administration previously telegraphed much, if not all, that is covered in the 30-page “Executive Order on Improving the Nation’s Cybersecurity,” including the need to modernize federal cyber defenses and improve the ability to detect vulnerabilities and breaches through the move to secure cloud services, zero-trust architectures, faster and wider deployments of security tools like endpoint threat detection and response, and multifactor authentication and encryption, much of it layered throughout networks.
Other aspects of the order that have also been broadcast in background briefings, speeches and leaks to the media include enhancing software security by building in security and resiliency and using federal acquisition practices to drive this behavior, giving consumers more insight into security through new labeling efforts, and establishing a review board much like the National Transportation Safety Board to assess serious incidents and generate lessons learned.
Early on in the directive, the administration also takes on the always mentioned but never quite good enough priority of improving the sharing of cyber threat indicators between the government and industry. One barrier to better information sharing highlighted in the order is in contract terms for systems purchased by the federal government that limit providers of information and operational technology services from sharing information about incidents.
To these impediments to information sharing, the order directs the Office of Management and Budget to update regulations governing the procurement of items by the Pentagon and federal civilian agencies so that contract language ensures “service providers share such data, information and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted.”
The order also makes it federal policy that providers of information and communications technology services in contracts with the government “must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.” The ICT services providers must also report these incidents to the Department of Homeland Security’s CISA.
A sense of urgency pervades the executive order, which affixes dozens of deadlines for action.
Wales said that despite the tight deadlines, in many cases actions have been underway for some time. For example, he said the government has already been moving toward multifactor authentication and that more than 95 percent of traffic on the “DotGov” networks is encrypted. As for security tools like endpoint threat detection and response (EDR), Wales said currently there are “substantial differences among the agencies” with some having already begun to deploy these tools and others not yet.
Congress in March appropriated $650 million in new funds for CISA, some of which will be spent on helping agencies procure and deploy EDR tools. Wales said that the goal over the next year is to get most of the new funding obligated.
The executive order also calls for the federal government to have a standardized “playbook for responding to cybersecurity vulnerabilities and incidents,” noting that currently across the government different agencies have different practices in place for incident response.
“Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses,” the order says.