The President’s Executive Order on Cybersecurity is a Massive Shift for Security

The latest ransomware attack on Colonial Pipeline highlights the worst secret in cybersecurity; our nation’s critical infrastructure is not prepared to stand up against the modern cyber threats. Systems like these have been the target for attacks from domestic and foreign cybercriminals for years. These groups are armed with the latest and most effective zero-day exploit attacks that traditional signature-based defenses simply cannot defend against. And the attacks maintain the upper hand against these outdated security systems that meet bare minimum security requirements.

But on May 21, 2021, President Joe Biden announced the most substantial executive order on cybersecurity, focusing on improving the Federal Government’s efforts to defend itself from future cyberattacks. While most of the rules stated in the executive order direct Federal systems, it also raises the bar of security expectations from vendors regarding support of these new security guidelines, focusing on prevention, detection, response, and investigation. While this language is not unique to many that have adopted the latest in security architecture, it advances the Federal Government’s mission. It supports the ‘lead by example’ vocabulary included in the order.

“The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”

A vital component of the executive order appears in Section 3, focusing on modernizing the Federal Government’s Cybersecurity around Zero Trust architecture and minimizing the barriers of cybersecurity data sharing for identifying and managing risks.  Zero Trust architecture addresses this with its foundation of “never trust, always verify”, designed to secure modern workspaces against comprehensive threats through network segmentation, device attestation, and identity verification. Zero Trust is advanced access control that requires verification from every user trying to gain access to data, no matter their location or device being used. This architecture defines that all data, endpoints, and services are considered resources, and access is defined by a policy that takes into consideration the requesting endpoint, behavioral attributes, and the security state of the requestor’s identity.

As Federal agencies adapt and enable users to work outside established security perimeters and access data through mobile endpoints, they must also address the inherent risks involved. And over the last year, agencies have followed the National Institute of Standards and Technology (NIST)’s SP 1800-22 Mobile Device Security: Bring Your Own Device (BYOD) to enable their employees to work in remote and distributed functions. But in order to truly secure the data accessed on personal mobile devices, Zero Trust must be implemented, and with it, mobile device integrity must be insured. This executive order addresses the gaps that exist, like with mobile implementations into advanced EDR, XDR, and Zero Trust security architectures, for a cohesive and progressive security strategy.

“Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.” – NIST Zero Trust Architecture, SP 800-207, August 2020

While Zero Trust architectures already do exist within areas of Federal systems, the standards set out by the executive order show that the Federal Government is taking a progressive and aggressive approach to shoring up the security of its digital infrastructure. And with the modernization of Federal systems comes the added goal of driving the public sector to match the security improvements, leading to a cohesive national push towards prevention against the next attack. By using the standards set by NIST’s SP 800-207: Zero Trust Architecture, both public and private sectors are provided the strategic roadmap needed to move from a static-network-based security perimeter to an advanced security model that addresses modern threats.

“The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” 

One of the biggest challenges for critical infrastructure and Federal agencies has been migrating from legacy security solutions to an architecture that supports a constantly evolving threat. As the latest attack on the Colonial Pipeline has shown, meeting the minimum standards is not enough to stand up against the advanced capabilities of the modern cybercriminal. For the Federal Government to avoid being the victim themselves, they must evolve their own security to match and exceed the capabilities. With this executive order, though, the President is setting a precedent that the old, legacy approaches to security must be addressed, paving the way for a modern approach to threat prevention.

“[This executive order] shall require agencies employing software developed and procured prior to the date of this order (legacy software) either to comply with any requirements issued pursuant to subsection (k) of this section or to provide a plan outlining actions to remediate or meet those requirements, and shall further require agencies seeking renewals of software contracts, including legacy software, to comply with any requirements issued pursuant to subsection (k) of this section, unless an extension or waiver is granted in accordance with subsection (l) or (m) of this section.”

While other executive orders have emerged from past Presidents, never before has one been so focused on implementing what is seen as industry standard outside the Federal space. Following the release of the executive order, Defense Information Systems Agency (DISA) released their report Department of Defense (DOD) Zero Trust Reference Architecture, laying the framework for the next generation of cybersecurity architecture. Evolving from legacy approaches to security, DISA’s findings are based on Zero Trust principles, addressing not only the threat of today but tomorrow.

“Zero Trust implements continuous multi-factor authentication, micro-segmentation, encryption, endpoint security, analytics, and robust auditing to DAAS seven pillars to deliver cyber resiliency. As the Department evolves to become a more agile, more mobile, cloud-instantiated workforce, collaborating with multiple federal and non-governmental organizations (NGO) entities for a variety of missions, a hardened perimeter defense can no longer suffice as an effective means of enterprise security.”

Just as the private sector has evolved with the modern workforce, DISA recognizes the need to protect the resources within the security perimeter and data that travels outside it. As the lines have blurred between the mobile and traditional endpoint in the workforce, with mobile devices taking the lead as the most commonly accessed device, DISA significantly advances the notion of complete endpoint coverage for security. With advanced mobile threat defense solutions implemented into security architectures, agencies can deliver comprehensive Mobile Endpoint Protection (MEP) to their unclassified mobile offerings and shoring up the President’s Zero Trust initiatives.

“Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud- based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”

Just as the threats against our infrastructure have evolved, so has the modern workplace for private and public sectors. But to keep up with both, the approach to critical security systems must advance beyond the legacy, signature approaches and into cohesive security architectures that secure all data-accessing systems, from BYOD to traditional endpoints.

Ultimately these two releases, one spurred by a cybersecurity attack and the other developed as an evolving component of the Federal security strategy, reflect positive shifts in cybersecurity mindsets within the public sector. It is time for the cybersecurity strategy of the country to evolve and not just meet the minimum requirements. To prevent future attacks, the mindset must change and evolve to match the threats. While the Colonial Pipeline incident may not have surprised many in the space, the lessons can direct the future of cybersecurity for the nation.

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against device, network, phishing, and malicious app attacks. For more information, visit www.zimperium.com.