A new national security memorandum from the Biden administration looks to provide the active cyber defenses of the United States with a boost. The intelligence agencies, Department of Defense and agencies tasked with national security matters will be required to meet at least the standard of federal civilian networks in terms of cybersecurity measures.
The move is meant to bring these crucial federal systems in line with the tougher cyber defense standards applied to civilian systems by a May 2021 executive order. These agencies will now be subject to stronger cyber hygiene standards, shorter incident reporting windows and new inventory requirements among other measures laid out in that original order.
Federal agency national security standards to achieve parity with civilian contractor requirements
The new memorandum brings the named agencies on par with the terms outlined in Executive Order 14028, “Improving the Nation’s Cybersecurity.” This upgrading of general cyber defense standards was prompted in no small part by the major ransomware attacks that ran rampant in the early part of 2021, including blows to critical infrastructure (Colonial Pipeline) and network service providers with thousands of downstream clients (Kaseya).
The new cyber defense standards are also being gradually rolled out to utilities, with some (such as electric and water) already expected to begin implementing them. While these new terms were much needed in the private sector, there is perhaps an even bigger endemic problem amongst federal agencies. These agencies, even some that handle matters of national security, have ongoing issues with legacy equipment that is very difficult to maintain at modern security standards.
The list of new cyber defense requirements is quite substantial. One central focus is the improvement of incident visibility and reporting, with agencies now required to follow a more standardized format that ultimately runs everything through the National Security Agency (NSA). The NSA has been instructed to create Binding Operational Directives (BOD) spelling out specific responses to a variety of expected cyber security incident types, a role that is being handled by the Department of Homeland Security (DHS) for federal civilian contractors. NSA and DHS are being instructed to collaborate on this initiative to standardize their approaches wherever it is appropriate.
Another central focus is on shoring up the security of “cross domain solutions,” or the set of tools that is used to pass sensitive data between federal and civilian systems. These tools are a major point of attack for threat actors looking for access to classified systems. A comprehensive inventory of these tools is to be conducted by the DOD and the intelligence agencies in the coming months, with NSA instructed to develop a directive governing the process within the next 60 days.
“Cyber hygiene” will also be a big focus in the next four months, with these systems that handle sensitive national security information subject to added login and data security procedures: mandatory multifactor authentication, encryption and zero trust architecture among other elements.
Tim Erlin, VP of strategy at Tripwire, expands on exactly what “zero trust” entails (and what can realistically be expected): “Zero Trust Architecture holds a lot of promise as a defensive security control. Preventing attackers from accessing resources, and limiting which resources are accessible, is a great strategy, but there’s a big gap between the specification on paper and the realized implementation. These are the gaps that attackers will attempt to exploit.”
Cyber defense update long overdue
The combined orders from the Biden administration address longstanding cyber defense weaknesses in the nation’s critical infrastructure, ones that create the possibility for serious national security issues. The ever-evolving threat landscape has made the issue impossible to ignore any longer, as the major attacks of last year (most notably Colonial Pipeline) make clear.
Incident reporting in both federal agencies and relevant private industry has long been one of the leading problems, previously operating on a system that was lax and mostly relied on self-policing and a lot of voluntary disclosure. Long-neglected critical infrastructure is receiving special attention, something underscored by a recent bridge collapse in Pittsburgh just before president Joe Biden was set to address the nation about the issue from the city. In addition to the cybersecurity executive orders, the administration has passed the Infrastructure Investment and Jobs Act which includes $21 million in new money annually for the Office of the National Cyber Director and the creation of a $100 million Cyber Response and Recovery Fund to assist in mitigating attacks.
However, James McQuiggan (security awareness advocate at KnowBe4) notes that one major item has been missing from the orders thus far: “One missing item from the order is education around and the creation of a solid security culture among users. When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyberattack.”
Aside from the implications for national security improvement, these cyber defense orders may also provide some direct benefit to the average American. The Federal Communications Commission (FCC) is using this moment to propose that the nation’s major telecom carriers be subject to strict incident reporting windows as well, including the delivering of data breach notifications to their customers. The carriers are actually required by law to wait at least seven days before issuing these breach notifications at present, a practice that the FCC is looking to end. The agency would also require the telecoms to be under similar reporting terms as the utility companies, having to very quickly notify the FCC and applicable law enforcement agencies if their networks are successfully attacked.