In "Unintended Consequences of the Information Economy II" (2021), I mentioned an Executive Order issued in May of this year (2021) by the Biden White House: "Executive Order on Improving the Nation's Cybersecurity". This morning over a leisurely Christmas Eve breakfast I read the fifty-four page EO from start to finish. (It's not that onerous; the way it is formatted on the White House web site, with very short lines, it was expeditious to print it two web pages per physical page.)
I'm tempted to say that I've never read an EO before, so I didn't know what to expect. I've read so much stuff over the past decades, I can't say for certain. (I once found myself having to read U.S Department of State International Traffic in Arms Regulations in regards to a commercial product I was helping develop for the business aviation space.) But for sure, I didn't expect the EO to be as interesting (or as readable) as it was. Here are some of the things I consider highlights:
- There was a a lot of verbiage about the need for federal agencies to share information with one another on malicious cyber campaigns. This may seem obvious, but in many organizations - government and commercial - this might be a hard sell. There is little incentive for organizations to admit they've been hacked, for lots of reasons. So an EO which requires federal agencies to do so is probably a good thing.
- There was also a lot of talk about the need for vendors who sell into the federal government space, especially cloud service providers (CSP), to share information on malicious cyber campaigns. Good idea, especially since they may detect such campaigns in their commercial environments as well. Same disincentives apply as above.
- The EO requires federal agencies using cloud services to adopt Zero Trust Architecture "as practicable". Also a good idea, and (if I am to be honest) something I haven't been that great about in some of my own work. I need to do better, and so does the U.S. Government.
- There is a section on the need for vendors that sell into the federal space to use a secure software development environment. It recommended such actions as administratively separate build environments, and automated tools to demonstrate conformance to secure development processes. There was a lot of text about the need for products to provide a verifiable software bill of materials (SBOM). Keep in mind this was written back in May of this year, months before the Log4J vulnerability came to light. If software products in use today that depend on Log4J had such an SBOM, a lot of IT folks might be having a much more relaxed Christmas holiday.
- Really an eye opener for me: there is a section proposing a cybersecurity labeling standard for consumer internet-connected (i.e. Internet of Things) devices. I very much look forward to seeing what happens with this. As a cybersecurity engineer friend of mine quips: "the 'S' in 'IoT' stands for 'Security'". I confess to still be grappling with security concerns - and the tradeoff between security and real-time behavior - in my own IoT projects.
- Most unexpected: a long section explaining the use and value of system log files. Preaching to the choir, President Biden. It requires federal agencies and their IT service providers to save such logs in a secure manner, and to periodically verify the logs against hashes to insure they haven't been modified. Such logs are crucial for post-hoc analysis of lots of stuff, not just malicious cyber incidents.
- The EO contains the usual caveats and exceptions for the Department of Defense and the Intelligence Community, but at the same time requires cooperation and leadership across the DoD and IC for this effort.
- Several requirements mention the use of automated software tools to audit, verify, and analyze the security of government IT systems. This is going to attract a lot of tool vendor attention. It will be interesting to see how those vendors address this, since the tools themselves - which are likely to be large and complex - will also be recursively subject to these same requirements. (I find myself reminiscing about the Gödel Incompleteness Theorems from graduate school.)
I still think the major impact of this will be more revenue for the small handful of ginormous prime contractors in the defense space. But I'd like to believe it's a step in the right direction.