Joe Biden has signed an Executive Order to improve national cyber security and protect federal government networks more efficiently. The attack on oil pipeline operator Colonial Pipeline, a story that made the mainstream media, was the last straw. Although the cybersecurity industry could sense that the ransomware would end up attacking critical infrastructure and causing chaos, it has taken the threat to materialise for a reaction to occur. And hopefully it will have beneficial consequences. Cyber security already has another game-changing attack in its history to remember.
Negative events capable of changing the laws, the paradigm or the collective awareness of an industry can be counted on a single hand. In cyber security, perhaps (without wanting to complete all the cases) we can talk about Blaster and Sasser in 2003, which completely changed the perception of security at Microsoft, which was already quite damaged. Stuxnet in 2010 warned us about cyberweapons and made the world aware of the new cyber and geopolitical strategy. And of course, Wannacry in 2017, a blow to the industry’s pride for being attacked at that point by a worm that exploited an already fixed vulnerability. And despite years of dealing with ransomware, it has taken years for the threat to materialise in an impact with serious consequences for the United States to tighten the rules. Because if we think about it, it was the next logical step in the escalation: from attacking users to hijacking SMEs, from SMEs to large companies, from these to organisations and from there, it was assumed, to critical infrastructures. But the incident (along with many others that have followed) has finally prompted the president to react.
This executive order aims to modernise defences but above all to focus on a problem that can still, despite the seriousness of the situation, be mitigated. Fundamentally, the order aims to increase information sharing between the government and the private sector and to improve the ability to respond. The basic action points are:
- It allows private companies (especially those hosting servers) to share information with the government. This will speed up the investigation process when incidents occur involving access to a server. They also have a maximum time limit for reporting such incidents.
- Improve and adopt cyber security standards in the federal government. This is a commitment (at a high level, although specific technologies are mentioned) to adopt the best standards (2FA, cryptography, SDLC…) from within the government’s own infrastructure.
- Improve supply chains, as the SolarWinds attack has taught us. Software sold to the government will have to meet minimum security requirements. There will be a kind of certificate of accreditation, similar to that for energy or emissions.
- A private and public cyber security review board or commission. When an accident occurs, it will be managed and conclusions will be drawn in a coordinated manner. This commission is inspired by the one already in place in aeronautics, where the private and public sector meet after major air incidents.
- A standard incident response system will be created both internally and externally. Companies will no longer have to wait for something to happen before they know what needs to be done.
- Improve the defence capability of the federal network. Perhaps the most generic measure, which aims to reinforce with appropriate cyber security tools the entire government infrastructure.
- Improving remediation and investigation capacity. Perhaps this comes down basically to improving logging systems.
And now, What?
This executive order will mean that companies will have to comply with minimum standards, procedures, audits… In short, it will create a healthier industry, one that is more closely monitored by itself. More robust and united, we hope. Something similar to what the debit and credit card companies did when they implemented the PCI-DSS initiative, which obliged everyone who worked with this data to pass a minimum audit. While it will not solve the problem entirely, it will significantly improve it. It puts the focus on cyber security at the highest level, joins forces and, as mentioned, attacks the problem from a political and legal perspective that complements the technical approach, which is insufficient on its own.
However, there is still a lack of clearer laws against attackers which would make it easier to prosecute them, identify them and impose sanctions at a global level. There is now political and legal support to promote security from a technical point of view, but cyber is also legal, social, political… and the activity of attackers must be tackled from all these angles. Such a serious problem, although technical in nature, cannot be solved from only that angle. If we merely concentrate on patching and responding, auditing and certifying, we will not make enough progress. In any case, this order is great news and a first step in that direction.