The threat of cyberattacks continues to rise unabated, and Washington is taking urgent notice. The recent attack on the Colonial pipeline is just one of the estimated 184 million ransomware attacks urging government officials to escalate the alarm on security threats plaguing our economies. A Ransomware Task Force report found there was a more than 300% increase in organizations paying ransom in 2020 from the previous year, accounting for an estimated $350 million paid to ransomware attackers. This year has brought no shortage of necessary wake-up calls for every American business to increase protection against cyberattacks. After all, the stakes are the highest for the adversaries and the service providers when citizens and their services are the targets. The Colonial CEO admitted that they paid $4.4 million – some of which was recently recovered.
What Is The EO All about?
President Biden’s executive order (EO) on improving the nation’s cybersecurity is a renewed call to action needed to rework our national security standards. The EO emphasizes “bold changes and significant investments to defend the vital institutions that underpin the American way of life.” It continues to state, “The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences, we will incur if that trust is misplaced.” The EO focuses on reducing the rampant cyber risks that threaten our critical infrastructure while also providing a comprehensive outline of the actions needed to “enhance software supply chain security.”
In summary, the EO calls for modernized cyber systems and improved cyber information sharing, cyber governance and strengthened detection, investigation, response, and remediation of cyber incidents, while also creating urgency and highlighting the bias for action the administration expects. The key to understanding the EO is to study the numerous time-based milestones and deliverables it outlines. I’ve written a simplified view of the EO and share here the key takeaways for commercial software vendors.
Major Thrust Area Of The EO: Software Supply Chain Security
The EO points to the increasing software-driven nature of supply chains. This means business partners, whether a Federal agency or not, are now accessing internal applications to integrate with supply chain partners, resulting in existing vulnerabilities becoming publicly exploitable. Software supply chain attacks affect connected systems, and today, applications are inter-connected more than ever before through predominantly API-based integrations. When considering sensitive data exposure, one of the most prevalent application security issues identified by the OWASP Top Ten security professionals can understand how adversaries can easily access sensitive user data, the application technology stack, and infrastructure to plant system-wide long-running attacks.
In section four, the EO succinctly and directly identifies the root cause:
“Development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.”
This statement calls upon commercial software vendors to not only expect stringent security requirements from the administration but also to buckle up to meet those standards. Here is a high-level summary of detailed steps that will be taken in the next 12 months according to the EO:
Short-Term (0-60 Days):
Develop a comprehensive criterion to evaluate overall software security and a mechanism for service providers to demonstrate conformance with criteria.
Define what “critical software” means for the administration, make an inventory of such software in use or procurement, publish guidelines to be met for the use and procurement of “critical software,” and define standards to declare the software bill of materials.
Medium-Term (60-270 Days)
NIST to publish preliminary guidelines for enhancing software supply chain and issue guidance to vendors to comply with practices to enhance software security supply. Identify secure software development criteria for a consumer software labeling program.
Identify IoT cybersecurity criteria for a consumer-labeling program and a set of measures to be taken to maximize manufacturer participation.
Long-Term (270 Days And Beyond)
NIST to publish additional guidelines based on a review of the outcomes of the short- and medium-term activities and enforce Federal contract language to comply with the updated guidelines. Provide update to President on progress on the rollout.
The Key Takeaway For Commercial Software Vendors
The updated software supply chain security guidelines will mandate that vendors are able to evidence compliance with guidelines around securing software development environments, ensuring source code integrity, performing regular application security testing and remediation, ensuring software provenance, publishing SBOM and ensuring the provenance of open-source components.
Where Does The EO Fall Short?
While the EO offers promising change, it focuses mainly on federal institutions and not enough on the myriad of other systems that make up the American way of life. With this critical exclusion, Americans remain vulnerable to cyber threats and incidents in their daily lives.
The EO asks to “bring to bear the full scope of its authorities and resources to protect and secure its computer systems.” However, much of it focuses on exercising expanded federal contractual terms and obligations. While this is a significant first step, I believe the EO falls short to create incentives that promote the acceleration of the EO’s vision. In addition, the EO falls short in articulating penalties for behavior that puts Americans at greater cyber risk.
To me, the EO rightly emphasizes and expands the role of FedRAMP and NIST to facilitate the implementation of some of the bold actions and identifies federal organizations that will play important roles in the development of a plan pursuant to the asks. There is a call for the appointment of the National Cyber Director and the establishment of a related Office within the Executive Office of the President. However, the EO falls short of clearly assigning ultimate accountability and authority to one agency, leader, or the National Cyber Director.
While there will always be additional policy work to fill any gaps in the EO, the most urgent need is to start securing critical software and ensuring that software supply chains are secured.
The EO spotlights software and software services providers: In the race to innovate, do not ignore security. Be responsible. Be secure.
This article originally appeared in Forbes