CIOs who overlook the US government’s cybersecurity orders do so at their peril — and that of their enterprise. That’s what former US Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs stressed during his keynote presentation at Gartner IT Symposium/Xpo last week.
Remarking on the Biden administration’s cybersecurity executive order signed last May, Krebs said CIOs should worry less about meeting the initial order’s basic regulatory compliance for security and instead harden their infrastructure as much as possible in anticipation of escalating attacks and additional cybersecurity orders in the future.
“Critical industries — those that really do tie into the continuity of the US economy — [are at risk] and I expect, based on some of the events of the last couple of years, that we will see an enhancement of those compliance regimes,” Krebs said. “You don’t want to end up in an environment that is just a checklist-based approach because you’re spending money that could go for security programs.”
Amid highly publicized attacks such as the compromise of SolarWinds at the end of last year and ransomware attacks at Colonial Pipeline and JBS meat packers, which paid $11 million to cybercriminals, the Biden Administration in May issued an executive order that includes new mandates for software procurement and adopting multifactor authentication architectures, as well as a series of other requirements to safeguard public and private assets.
The recently created CISA joins the CIA, FBI, National Security Agency, and National Security Council in coordinating and broadening public-private partnerships and in enforcing the executive mandates because all cyberattacks threaten national security, Krebs said.
CIOs across the public and private sectors are scrambling to secure their infrastructures.
“Cybersecurity is huge,” said NASA CIO Jeff Seaton during the Forbes CIO Next event held last week. “Things will continue to move online. And so the threats that exist in the online world are only expanding. For me, for us, it is a primary area of focus.”
Seaton, who was confirmed as CIO in January after eight months as acting CIO, stressed the magnitude of the concern. “It used to be that if you were going to be attacked, you had to have physical proximity to what you were going to attack. And now it can happen from, you know, on the other side of the globe,” he said. “So we have to take it seriously.”
Reshaping cybersecurity requirements
As part of his keynote, Krebs outline four roles the US government is playing to strengthen public-private security partnerships: as consumer, enforcer, defender, and advisor.
Biden’s executive order upped the ante on security requirements for software procurement undertaken by government entities, whether on the civilian side or the Department of Defense, which is the largest consumer of IT in the US, Krebs said.
“The software, the services, and the products that the US government [purchases] are the same SKUs and the same products that you in [private] industry regardless of sector or segment are buying as well,” Krebs said, noting that manufacturers that incorporate software into their products will also be on the hook.
The executive order also raises the bar on quality control throughout the software development lifecycle for all manufacturers. “When the government says do this better … the government is not the only beneficiary. It’s everyone else so on the consumer side,” Krebs said. “If we know the attackers are going to target the supply chain, why not hold IT vendors responsible when they produce insecure offerings like faulty cars?”
One former government agency CIO who is now a small business owner said the private sector should run to — not hide from — the executive order’s mandates because they will benefit all.
“Having served as the CIO for the US Capitol Police and the Chairperson of the Legislative Branch of Government, I would encourage the public sector, especially federal government software/service vendors to lean forward as it pertains to transparency, reporting, and cooperation related to cybersecurity incidents affecting the integrity of their software, impact to customer data, and the supply chain,” said Heath Anderson, noting the executive order has a framework for public/private partnership by establishing a Cybersecurity Safety Review Board.
“Active participation by private industry is critical in improving future incident responses and recovery,” said Anderson, who is now CEO of Roam Advisors in Carlsbad, Calif. For the government’s part, Anderson told CIO.com it is moving toward a zero-trust architecture (ZTA) and is accelerating its push toward secure cloud services.
Government as enforcer and advisor
Enforcement agencies will be on the prowl for violations of the executive order’s various mandates. This includes not only law enforcement agencies such as the FBI, but also regulatory agencies such as the Securities and Exchange Commission for publicly traded companies and the Federal Energy Regulatory Commission for the energy sector.
CISA, for its part, is not intended to be a watchdog but a “value-driven organization, so it really does look like the private sector or at least a participant in the market,” Krebs said, adding that the cybersecurity agency’s investments and executive order will have a “cascading effect” on the government’s R&D spending to the benefit of private industry.
“The [U.S.] government needs to continue pushing into the R&D space but not just in defense and national security community but in the broader civilian space,” Krebs said, claiming that China has been very adept in this area, knowing that when they “invest in their technology sector, they’re doing it from a GI economics perspective.”
As for the enterprise, all businesses need to do a better job patching VPNs and deploying multifactor authentication, Krebs said, adding that Biden’s executive order gives government agencies more leverage to provide risk management practices and help to private enterprise when needed.
“Cybersecurity is not just a technical risk anymore,” Krebs said. “If Colonial taught us anything, it’s that ransomware [poses] a business continuity risk and functional disruption of the ability of your organization to deliver critical assets down to the client and also ensuring you’re protecting your shareholders and other stakeholders.”
Roam’s Anderson agrees that it is imperative that the private sector not overlook the executive order’s mandates.
“With respect to a ransomware attack or other detrimental cybersecurity incident affecting our services or customers, we need to work with government contracting to strengthen contract language, be transparent with our customers, and report and cooperate with appropriate law enforcement,” he said.