Nation’s New Cybersecurity Executive Order is the Pivotal First Step, but Now the Heavy Lifting Begins

Last week, the Biden Administration issued its "Executive Order on Improving the Nation’s Cybersecurity." The executive order (or "EO") followed both the public disclosure and the supply-chain impact of the recent ransomware attack on Colonial Pipeline Co.

With its prioritization of cloud and zero trust security architectures, this EO prompts a reassessment of U.S. Federal Government cybersecurity policy. As Zscaler’s VP of Global Government and Compliance Stephen Kovac recently wrote, this new EO moves federal operations into a new "Cloud Secure" era.

The new cybersecurity EO brings zero trust to the forefront

The Biden Administration's comprehensive new cybersecurity directive mandates new cybersecurity practices, workflows, architectures, and deadlines. It states "bold changes and significant investments" for government IT and operational technology (OT). Its success is based on the development of extensive new partnerships between public- and private-sector organizations.

Ultimately, this order aims to bring government cybersecurity into the internet-driven, cloud-first world to improve data-sharing, secure our supply chains, and shore up cyber incident detection, response, and remediation. What’s absolutely critical to surface is the EO directs government agencies to adopt a Zero Trust Architecture (ZTA) based on the NIST standard, "accelerate movement to secure cloud services," and ensure both multi-factor authentication (MFA) and industry-standard encryption methodologies are implemented. I am encouraged to see the Federal Government reinforce that the world no longer operates inside a trusted security perimeter like it did in the pre-cloud and pre-mobile world, and the future will be built on zero trust. 

Good intentions...what’s next for the public- and private-sector?

When the U.S. Federal Government proposes improved cybersecurity standards, pundits often respond with "It's a good start." While this EO is indeed a good start, I believe it’s also the foundation on which the heavy lifting and innovation work begins.

The Colonial Pipeline attack was yet another major wake up call, the real issue is that many Federal agencies and a wide swath of private-sector organizations cling to entrenched legacy infrastructures designed with a perimeter-based, decades old security model that simply cannot adapt to today’s highly-mobile and cloud-centric threat landscape. While Colonial had cybersecurity measures in place, the company’s network perimeter was breached, and operations were crippled by the attackers' moving laterally throughout systems within the company's network. The only way to truly mitigate these attacks is for both public- and private-sector organizations to adopt a zero trust security model where validated user identity is combined with business policies for direct access to authorized applications and resources, not the network. The networks and systems running many critical U.S. infrastructures are woefully behind the curve in defending against new cyber threats.    

Next steps: cloud, zero trust, and elevated cybersecurity with the right investment

I commend the Biden Administration's efforts towards modernizing Federal cybersecurity standards. But this level of security modernization requires adequate funding. The reality is, there is not enough government investment for Federal agencies to fully implement the new EO, which could force agencies to cancel or redirect funds from other programs. The only way we will be effective as a nation to stop these catastrophic cyberattacks is for the Administration to commit specific program funding to enable agencies to act quicker than the incoming attacks.

With the right funding in place, it’s important for the Biden Administration to provide pragmatic plans to help guide public- and private-sector cybersecurity roll out efforts. For example:

●     Start with a security assessment to gain visibility into where organizations are most vulnerable.

●     Adopt a zero trust model, legacy security models do not work. Zero trust begins with validating user identity combined with business policy enforcement to deliver authorized direct access to applications and resources.

●     Ensure users and applications are connected directly to resources, not the corporate network, preventing lateral movement of threats, thus reducing security threats.

●     Make applications invisible to the internet. Applications protected behind a zero trust architecture are not visible and cannot be discovered, thus eliminating the attack surface.

●     Use a proxy architecture, not a passthrough firewall, for content inspection data protection and policy enforcement - before data reaches its destination

For too long, cybersecurity has been relegated to the domain of IT. Threat risk is business risk, and cybersecurity is business security: As recent hacks have proven, cyber threats endanger business operations, impacting the operations of critical infrastructure and damaging our shared way of life. The Biden Administration’s new ‘Executive Order on Improving the Nation’s Cybersecurity’ represents an excellent first step to securing the Nation’s infrastructure. Now it’s time to get to work.