Why the US Executive Order on Cybersecurity should be relevant to Australia

On May 12, 2021, the White House in the USA issued an Executive Order urging US agencies and businesses to protect themselves against ransomware.

Why is this even remotely important to us here in Australia? Well, we know for certain that US businesses and organisations are #1 target for cyber crime in the world. And ransomware is one of the largest forms of cybercrime at present. Only recently Colonial Pipeline in the US was impacted, with petrol logistics across the country impaired until the $4.4million ransom was paid.

However, Australia is still one of the most attacked countries in the world at #6. You only need to look at the news in recent months we have seen attacks at RMIT, Channel 9, Swinburne University, University of South Australia and a whole range of significant cyber-attacks that have not even been reported.

The Executive Order touches on some really important initiatives, driven by America passing a critical mass of concern around cybercrime; it is evident that cyber crime and attacks are causing the American economy a significant amount of damage.

A projection from a global security provider at the end of last year (McAfee), was that cybercrime would cost the US economy 1 trillion US dollars, double the cost of 2018.

Here are some of the US key directives being made, and why I think it's worth taking in: 

• Government Agencies and Private Sector to remove barriers between sharing breach information and threat intelligence. WHY: Because shared knowledge helps prepare beyond the impact of patient zero. It might just protect your organisation from becoming victim to a fast breaking attack. Speedy sharing of intel from government to and from private sector, can give the immediate and necessary information to become resilient to evolving cyber attacks. This has been shown to be the case even in Australia as a recent news article demonstrated.. Proactive companies and organisations in Australia are now looking to partner with the Australian Cyber Security Centre (ACSC).
• Organisations should embrace Zero Trust Architecture. WHY: It’s a catchy phrase that has started to gain popularity since late 2019, I wasn’t a big fan of the name for a while because in an age where we’re trying to align and use “business language” I felt that ‘zero-trust’ perpetuated the very opposite of the hallmarks of progressive business and growth. Why call something that immediate conjures lack of trust in the name? However, like the name or not – the idea behind it is still completely sage. Adopting MFA, least-privilege access and encryption are going to protect our organisations by minimising the impacts from credential theft, human error and data exposure, respectively.
• Improve Software Supply Chain Security. WHY:  Secure coding practices are becoming more and more important for all organisations, when engage a 3rd party, are you comfortable about inheriting their poor security coding practices? This initiative is about raising the bar, and forcing the market to respond by making sure software is built securely. This will be a normal skillset of modern developers in the very near future.
• Establishment of a Cybersecurity Safety Review Board. WHY: Recognising that a national “PIR” will drive other organisations to benefit and act on the “lessons learnt” ensuring there are not repeat cases of major incidents.
• Create a playbook for cyber incidents. WHY: Rehearsing incident response, and preparing for how an incident would be deal with, are the hallmarks of a mature organisation that wishes to be resilient to cyber crime. Learning lessons post incident – however noble the PIR can be phrased – could be avoided by leadership, management and all other staff involved in incidents being proactive in simulating and preparing for an eventual cyber crisis.
• Improved detection capabilities such as Endpoint Detection and Response (EDR). WHY: Detecting malicious activity vastly improves an organisation’s ability to be alerted to an incident, IBM reports the average global time to detect and contain a data breach is 280 days. 280 days! Statistics on this seem to vary a lot, but I think we can all agree, they are all way longer than they should be.
• Improved logging and remediation capabilities. WHY: Logging more efficiently means richer security data, which in turn means improved intelligence to move an incident through the cycle… with the ultimate goal to limit, contain, eradicate and recover from a cyber incident as quickly as possible – minimising the impact in financial and reputation terms to any organisation.

Final Comments from the Peanut Gallery (TL;DR - "people are needed to be able to all this!!!") :

The Whitehouse Executive Order of May 12 on Cybersecurity is a great demonstration of how governments should be treating cybersecurity seriously. With any hope, they will also trigger other governments to respond in a similar way. And then in turn, the pressure will be on for private sector to stop being laggards when it comes to cybersecurity investment.

In order to successfully meet any number of these directives and turn them into initiatives within our organisations, it will require a balanced blend of people, process and technology. During the pandemic a lot of organisations worldwide focused on the technology. A rapid shift to working from home and distributed nature of our networks required that. However, I believe that the emphasis now - more than ever - needs to be on the people element - both in terms of development and headcount, as many organisations are not getting the people they need to perform the function effectively. There are a lot of expectations but not enough support to meet those expectations. Organisations can’t just buy an EDR solution and expect that’s all they need to do. EDR requires analysis skills and sufficient people to perform that.

Implementing least privilege is complex and time consuming, as is changing a culture within Application teams to code securely. Obtaining time from multiple stakeholder to rehearse incident response takes them away from their primary objectives, and is time consuming also. Remediation is often also quite time consuming, especially in legacy or complex environments where testing and change embargos slow security remediation to a snail’s pace. All of these things are important, and the only solution is to allow for sufficient people to be able to govern and drive the change necessary

Thankfully, Splunk's State of Security 2021 report indicates that from their surveyed respondents 88% of organisations plan an increase in cybersecurity spend in the next 12 months, with 35% of those reporting it will be a significant increase. As mentioned in the prior paragraph, this should be a blend of technology and people spend.

It seems the inadequate allocation of suitable skilled cyber people to cybersecurity posts will continue to plague many organisations, with cyber being calculated in traditional terms such as a ratio of headcount to organisational staff, or headcount to IT staff. To my mind, this is a bit like buying a run-down house and trying to get it ready for the market within 1 week. With all the work to fix broken doors, broken windows, paint and mend walls, etc. you can’t sit back and say “well, this house costs $500,000 so normally it would require 1 tradesmen. If I had a house for $1,000,000 it would require 2 tradesmen.” I think it’s obvious that you would get what was required to get the job done as quickly as possible, so you can move forward. Same with cybersecurity.

Team’s should be resourced to close the major gaps as quickly as possible, knowing that security will always be an ongoing concern – but especially with organisations carrying a large amount of technical risk – the resourcing of cyber people (real feet on the ground not caught up in projects) should match the resourcing of technology. You also need people to build or improve process. My final comments are really a rant around that. The good points of the Executive Order (or any other strong recommendation) will only be as good as the commitment provided to resource it.