As far as recent events in the cybersecurity space go, things are looking pretty grim. It seems that each day we wake to yet another organization falling victim to a breach. With increasingly sophisticated cybercriminal gangs making big profits, security teams across the country are fighting on the front lines of this unprecedented cyber-war, and the uphill battle only appears to be getting steeper.
As organizations continue to move their operations to the cloud and enlist third parties to achieve their business goals, we find ourselves drinking from the same cup that poisons us. Our efforts to ease our operational woes have left us tethered to one another, in a way that finds one organization vulnerable to the security shortcomings of another. This interconnectivity has vastly increased the supply cybersecurity risk exposure of nearly every organization.
The SolarWinds breach demonstrated that even the federal government isn’t without supply chain risk, and the Colonial Pipeline attack showed how the impact of an incident can be felt well beyond ground zero. But how do we control this growing problem?
Mixed reviews for the Biden Administration’s response
Well, the Biden Administration is taking a stab at it with the recent release of the Executive Order (EO) on Improving the Nation’s Cybersecurity, but it’s gotten some mixed reviews among the cybersecurity crowd. Highlighting methods like multi-factor authentication (MFA), participating in vulnerability disclosures, requiring a software bill-of-materials, and mandating Zero Trust security models across federal agencies, the EO aims to increase vendor transparency and mitigate supply chain risk—but not everyone is convinced it will be enough to save our bacon.
Want to learn more about the Biden EO’s impact on IT compliance and cybersecurity?
Register for our webinar hosted by Matt Kelly of RadicalCompliance.com.
In response to a post in r/cybersecurity about the EO, one Reddit user, u/tcp5845, comments, “Kind of pointless if companies won't be required to actually increase IT Security headcount. Last few jobs I've had we're basically skeleton crews of IT Security personnel at best. With nobody internally actively monitoring for attacks [it’s] no wonder companies keep getting breached.”
This raises an interesting point and emphasizes the ever-present cybersecurity skills shortage. According to ISACA’s State of Cybersecurity 2021 report, 55 percent of survey respondents say they have unfilled cybersecurity positions, and that paints a concerning picture when we’re talking about improving the nation’s overall security posture.
Another user states, “This is an absolute joke of a plan, but it is what it is,” after sharing their summary of the EO directives, and continuing to add that they feel the best way to solve this problem is by disconnecting critical systems from the internet.
A more positive tone
On the other side of the coin, many people are just glad to see the government finally taking steps to fix a problem that’s been neglected for so long—even if we still have a long way to go. Security Magazine had a chance to connect with several experts in the security industry and get their take on the new mandates:
“The executive order is a major step in the right direction for strengthening US cyber defenses primarily because it removes barriers to collaboration around cyberthreats, which is essential for effective cyber response.” Stephen Banda, Senior Manager, Security Solutions at Lookout shares, “The executive order makes a Zero Trust Architecture central to the Federal Government’s approach to cybersecurity. This is a crucial step. It’s encouraging to see cloud security, Endpoint Detection and Response and active threat hunting on government networks as important components of the executive order.”
The Zero Trust model and direction to “assume compromise” facilitate an almost permanent state of threat vigilance—a far reach from the honor and good faith system many organizations put into their vendors today.
-CEO of TokenEx, Alex Pezold, shows support for full vendor transparency.
Marjorie Dickman, Chief Government Affairs and Public Policy Officer at BlackBerry, highlights the importance of the SBOM aspect of the EO in effective vendor risk management: “The software bill of materials (SBOM) provision is critically important, and long overdue, in securing our nation’s software supply chain—allowing purchasers, including the federal government, to manage risk and uncover vulnerabilities that malicious hackers are targeting.”
Having visibility into the components of the software you’re purchasing allows you to quickly ascertain whether they are at risk to existing or new vulnerabilities and promotes greater awareness about our collective reliance on open-source software libraries, for example. If we can be collaborative in identifying and closing security gaps, there won’t be as many opportunities for attackers to worm their way in.
The Bottom Line
Regardless of anyone’s feelings on the Executive Order, it’s impossible to deny that the federal government is making a concerted effort to rectify a broken system. It may not be the silver bullet we were hoping for, but even if it were, attacks would still continue to evolve and adapt to our defenses. Hell, nothing is flawless when you’re battling cybercriminals that invest in each other’s operations and support that kind of innovation.
The point is, it’s not a perfect plan… but it’s progress, and more than we’ve seen from the federal government in a long time. These mandates are going to change the way we all think about the security of our supply chain and are the building blocks to transform our digital interdependence from a critical weakness to a threat-fighting strength.