US President Joe Biden recently signed an Executive Order to boost the cybersecurity of the Federal Government’s systems and data, which could have wide-reaching potential impacts on businesses and organisations in the UK.
The Executive Order aims to modernise America’s cybersecurity defences by protecting federal networks, improving information sharing between the US Government and the private sector on cyber issues, and strengthening its ability to respond to incidents when they occur.
The President said the ‘…prevention, detection, assessment and remediation of cyber incidents has become a top priority’ for his administration and is ‘…essential for national and economic security’.
It followed a series of high-profile cyber incidents affecting American organisations, businesses and interests, including:
- A recent ransomware attack on the Colonial Pipeline, which created a national emergency after leaving the District of Columbia and 17 US states with fuel shortages.
- The SolarWinds supply chain attack of 2020, which saw hackers push a trojanised Orion update to more than 18,000 company customers, allowing them to target high-profile government and private organisations in further attacks.
- Regular cyber-attacks on open-source developers’ platforms like GitHub, where software is hacked for mining cryptocurrency and distributing malware.
- The Codecov supply chain attacks, where hackers have accessed the source code, repositories and credentials of hundreds of client networks.
What will the Executive Order do?
The Executive Order aims to bolster the US’ cyber defences by removing the barriers to threat information sharing. It will oblige IT service providers to share certain breach information with the Government to enable more effective defence of federal departments and improve the nation’s cybersecurity as a whole.
It will also help the US modernise and implement more robust cybersecurity standards in the Federal Government and improve software supply chain security.
To implement the required changes, the US Government will establish a Cybersecurity Safety Review Board and create a ‘Standard Playbook’ for responding to cyber incidents.
It’s hoped these steps will help the US to improve its investigative and remediation capabilities and its detection of cybersecurity incidents on Federal Government networks.
Although the Executive Order applies only in the US, it could have wide-reaching impacts on governments, businesses, and organisations worldwide, particularly those involved in trading or supply chain arrangements with the Federal Government.
The UK Government’s Department for Digital, Culture, Media, and Sport (DCSM) has already opened a consultation in response, to gather input from industry experts and tech organisations about the best ways to step up supply chain security across the UK.
The consultation forms part of the National Cyber Security Centre’s (NCSC) efforts to safeguard businesses and organisations from cyber-attack and strengthen digital supply chain security.
As with most things in the political, economic and business arenas, when the US moves, the rest of the world usually follows.
Here are our thoughts on what the US Executive Order on cybersecurity could mean moving forward and the impacts it could have on businesses and public sector organisations here in the UK.
# Paving the way for more changes?
While it’s interesting that President Biden says that ‘…incremental improvements will not give us the security we need’ and that ‘…bold changes and significant investments’ are needed, Executive Orders don’t automatically produce money. However, significant investment will be required to fund such radical changes, so it’s possible that this Executive Order is scene-setting for a further statute to be passed through the Senate.
# Greater transparency
The order lists some proposed contractual changes that should make pan-government data sharing around cyber threats easier. This may have a significant impact on organisations in the Federal Government’s supply chain firms.
Often, organisations are very protective of this type of data because of the threats it poses, which long-term can expose more organisations to unknown threat vectors. In contrast, the security holes could be closed more rapidly across a broader section of government organisations if they were shared.
# Shift to Zero Trust
Traditional architecture is a bit like a castle complete with knights. If you can breach the wall – ie a firewall – then you are in.
The Zero Trust model is more like the ‘need to know’ tactics that military and intelligence agencies apply – it allows access to a specific service based on who is trying to access that service, rather than automatically viewing a user as trustworthy because they are already ‘inside’ the wall.
Most large organisations still operate their ICT like a castle rather than on the Zero Trust model. This Executive Order switches this around to make Zero Trust the default.
While this is a positive step, it has the potential to create significant costs and take a long time to implement. Inevitably, some organisations will get it wrong.
# Cloud and data
Cloud is also introduced in the context of Zero Trust, with the US Government expecting organisations to use cloud solutions but treat user access with Zero Trust. This is a sensible approach that lends itself more to a Software as a Service (Saas) delivery model than Platform or Infrastructure as a Service (PaaS or IaaS).
Meanwhile, Cloud Security Reference Architecture is supposed to be issued within three months of the order by the Cybersecurity and Infrastructure Security Agency (CISA), so it will be interesting to see when it comes out and what it aligns to.
And in terms of Data Classification, this section relates to evaluating the types and sensitivity of unclassified data. This is a problem across the whole of the public sector. Millions of documents exist with a whole range of content, so how do organisations determine sensitivity without understanding the content? It could potentially be very expensive to deliver.
# Supply chain impacts
Some significant requirements and obligations are being placed on supply chain organisations, particularly around how software development is conducted. While this could be a positive step, it misses the fact that the Federal Government engages with a broad range of companies that all have ICT systems, but not all of which develop ICT systems. It would have been good to see the US propose something similar to the UK’s Cyber Essentials scheme, which sets a minimum level of best practice standards for all organisations, rather than something just targeted at software development houses.
And the Internet of Things (IoT) cybersecurity criteria for consumer labelling is a great idea which, if properly implemented, is likely to push improved security to the whole IoT landscape.
Where does the UK stand?
So, where does the UK sit in relation to the Executive Order?
For much of it, we’re in a good position.
We already have standards like Cyber Essentials and Cyber Essentials Plus. UK Government procurement generally requires Cyber Essentials accreditation as a bare minimum and will be moving towards Cyber Essentials Plus soon.
In terms of cloud, the Government directed its executive departments and local government to be cloud-first then cloud-native several years ago. So, the UK’s public sector is already heading in the right direction, and there is a lot of guidance available on how to deliver cloud securely from the NCSC.
On a slightly more negative note, though, we’re not quite as far ahead with Zero Trust, which is an area that the UK Government will hopefully place a renewed focus on, on the back of this Executive Order.
If you enjoyed this blog and want to learn more about how we can help your organisation improve its cybersecurity, give us a call on 01332 322588. And if you would like to stay up to date with the latest news, views and insight on everything going on in the ICT and technology sector, subscribe to our FREE email newsletter.