Policy breakdown: The 2021 Cybersecurity Executive Order and what it means for the Telecom industry
The Biden-Harris administration signed the "Executive Order on Improving the Nation's Cybersecurity" on May 12, 2021. Consisting of 11 sections, the order calls for better communication between the U.S. public and private sectors, new software development standards, and updated cyberattack response protocols nationwide.
Several policy changes will impact federally-contracted telecom workers almost immediately, while others will cause a ripple effect for IT professionals and software developers down the line. Here's everything you need to know about this new Executive Order (EO): what it is, where it came from, and how it could affect the broadband market.
Why did the President sign the Cybersecurity Executive Order on May 12th?
The culmination of several large-scale cyberattacks over the past year has fueled the demand for reform. In January, The SolarWinds attack was among the first to heighten concerns when it infiltrated several government institutions and more than 425 of the U.S. Fortune 500 companies. A few months later, the HAFNIUM hack on the Microsoft Exchange Server added pressure to the U.S. government for enhanced cybersecurity practices. And when the ransomware attack on the Colonial Pipeline last month shut down one of the largest gasoline and jet fuel distributors on the East Coast, all eyes turned to the White House.
President Biden responded with a press conference on May 13th to outline the next steps for returning the pipeline to full capacity and mitigating future threats. Part of the multi-faceted approach involves the Executive Order, which establishes new cybersecurity regulations and Federal Government policy. Biden revealed his vision for a lead-by-example solution when promoted by a reporter:
"The bottom line is that I cannot dictate that the private companies do certain things relative to cybersecurity... But I think it's becoming clear to everyone that we have to do more than is being done now, and the Federal Government can be significant value-added in having that happen."
While the President is clear that he is not ordering private companies to follow these regulations, the Executive Order does call for more information sharing between contracted IT professionals and the government. This could impact the wider market's software manufacturing standards and cybersecurity practices.
In a rush? Skip ahead to sections 2 & 4 to look at the policies that could impact software distribution and IT confidentiality clauses most directly.
What is the Cybersecurity Executive Order? Section-by-section breakdown.
The first thing to know about the Biden-Harris Cybersecurity Executive Order (EO) is that it addresses both the public and private sectors, calling on them to work together for optimized defense protocols:
"Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector," the Executive Order reads (Section 1). "The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace."
The necessity for this federal and state defense collaboration, as well as the disclaimer on private-sector enforcement, is thoroughly explained in section 1 of the EO titled "Policy." Meanwhile, section 2 lays out the first steps towards a more unified national approach to cybersecurity.
Section 2: Better information sharing between local and federal entities.
Under section 2 of the Executive Order, federally-contracted IT professionals must share any high-reaching cybersecurity concerns— like a breach that could impact Federal Information Systems — with the appropriate government office. This will allow federal defense entities like the Cybersecurity and Infrastructure Security Agency (CISA) or the Federal Bureau of Investigation (FBI) to examine network infiltrations before they become detrimental (Section 2a).
For anyone working in the information technology field, confidentiality clauses may come to mind. A contracted IT professional (even one hired for the government) is typically obligated to protect sensitive company information like a system breach. Section 2 of the EO accounts for this, calling for revisions to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements in the interest of removing roadblocks to information sharing. New language mandating how incidents or potential incidents will be reported, expected to be submitted by the Director of the Office of Management and Budget (OMB) and relevant parties within 60 days (about two months) of EO publication (Sections 2b & 2c).
Section 2 is significant because it speaks directly to how service providers collect information, report on cybersecurity incidents, collaborate with the Federal Government, and operate systems under agency contracts. At a glance, the order stipulates that such service providers:
- Share any relevant data or information on cyber incidents with their contracted agencies.
- Collaborate with cybersecurity agencies in their investigative efforts in the case of a potential incident on a Federal Information Systems.
- Remain open to implementing modern technologies for network security and monitoring if an agency contractor so requests.
- Follow industry-recognized best practices for threat response and remediation.
For a complete look at what this Executive Order entails, we encourage ISPs to read section 2C i-iii.
Sections 3: Modernizing federal government cybersecurity architecture
The global cloud computing market was valued at $371.4 billion in 2020 and is estimated to double to $832.1 billion by 2025. The U.S. Government will inevitably depend more on the cloud for data storage and recognizes the need for proactive defense against its threat vectors:
"To keep pace with today's dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity," the order reads.
One example of this modernization involves investing in new cybersecurity defense solutions, including:
- Zero-trust architecture
- Updated cloud security services, like Software as a Service (SaaS) or Platform as a Service (PaaS)
- Increase in consumer-centric tools such as two-factor authentication
- Centralized access to cybersecurity data for better management and monitoring
The public can expect many of these changes to occur by November 8, 2021 (cai.io, 2021). A federal cloud-security strategy with new integration guidelines will also arrive by August 10, 2021 (section 4i).
Section 4: Federal regulations of software supply chain security
Section 4 highlights the current security lapses in the U.S. software supply chain, specifically related to the reliability of "critical software" with access to high-security networks. By elevating the development and distribution standards of software sold to the Federal Government, the EO aims to strengthen the security of the larger software supply chain on the consumer markets:
"The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors," explains section 4. "There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended."
This portion of the EO calls upon the National Institute of Standards and Technology (NIST) to create new protocols for software suppliers interested in selling to the Federal Government. The institution has until November 8, 2021, to publish "preliminary guidelines" for the new best practices and until February 6, 2022, to collaborate with the Secretary of Commerce on new software supply chain regulations. Some notable updates (Veracode, 2021; Snyk, 2021; Mondaq, 2021) include:
- More visibility into software development with a Software Bill of Materials (SBOM)
- New security controls and monitoring for software manufacturing locations
- Updated regulations for open-source software
- A pilot program for IoT security labeling
We've looked closely at the possibility of the Biden Administration adopting a cybersecurity rating system from Singapore and what a Cybersecurity Labelling Scheme (CLS) in the U.S could resemble. Now, it appears that within 270 days of the date of this order (May 12th), the Secretary of Commerce, Director of NIST, and all other relevant parties will collaborate on the prototype:
"The criteria shall reflect a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone," reads the EO (section 4u). "This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation."
Sections 5: A cybersecurity safety review board
Under section 5, a national cybersecurity review board will be established to evaluate current incident response tactics and propose new best practices. Tangible updates will be published by both government and private sector co-chairs to continuously improve the nation's cybersecurity remediation efforts. According to the White House Fact Sheet, it models the National Transportation Safety Board, responsible for investigating and responding to civil safety incidents.
Section 6: A standardized playbook for response to cybersecurity threats
The government believes all Federal Civilian Executive Branch (FCEB) agencies must have a uniform approach to threat mitigation and a well-planned response in the case of an attack. Take ransomware, for example. One study found that 80% of companies that paid a ransomware attack suffered another attack down the line. A standardized response protocol to ransomware demands, phishing attempts, and other attacks would be beneficial.
It is yet to be confirmed what this playbook will entail specifically, but the Secretary of Homeland Security and several departments are expected to accomplish these initiatives by September 2021 (about four months after the EO):
- Produce a list of operational best practices for cybersecurity incident response across the government, including how to diagnose network threats, notify system owners of infiltrations, perform testing, etc.
- Upgrade our federal cybersecurity standards according to new best practices, as outlined by the National Institute of Standards and Technology (NIST)
Section 6 intends to set a new standard for federal system monitoring and management in the future, which could eventually trickle down to corporate IT networks.
Section 7 & 8: Improving the detection and remediation of vulnerabilities on government networks
At its core, section 7 is about helping the government lead in cybersecurity detection, which it intends to do with a "strong, government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing" (section 7b). It calls for better collaboration protocols between the government agencies responsible for defending FCEB Information Systems, including an updated Memoranda of Agreement (MOA) to be established by the Secretary of Homeland Security and the Director of CISA within 75 days (section 7f).
Section 8, titled "Improve the Federal Government's Investigative and Remediation Capabilities," will create new system requirements for event and incident logging. Once again overseen by the Secretary of Homeland Security, addendums will be made to our nation's cybersecurity logging protocols for better consistency and proactive incident reporting. Specifications surrounding how these logs will be kept— including date ranges, formatting suggestions, and security measures to protect data integrity— will be submitted for approval accordingly (see also: gtlaw.com).
Section 9, 10, & 11: Administrative details and deadline requirements
We will keep the rest of the sections brief, as they relate more to the Executive Order's administrative details and deadline requirements.
Section 9 states that although the respective agencies will adopt the National Security Systems requirements laid out in the EO within the mentioned timelines, no policies will undermine the authority of the National Security Directive 42.
Section 10 defines the terms and legal jargon used throughout the Executive order.
Section 11 is a series of general provisions and regulations for the rollout of the 2021 Executive Order.
What does the next Executive Order mean for the telecom industry?
While the Cybersecurity Executive Order pertains only to the Federal agencies it addresses directly, the goal appears to be for the same regulatory improvements to be adopted at the state, local, and corporate levels:
"We encourage private sector companies to follow the Federal government's lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents," claims the EO's official fact sheet review.
Section 2 (information sharing) and section 4 (software supply chain regulation) are predicted to have the most significant impact on IT professionals and government subtractors moving forwards. Even while many of the EO's provisions remain undefined during the drafting period, higher manufacturing standards are likely to trickle down to the private sector as consumers become aware of the security divide.
All companies handling software, IoT devices, or overseeing operations should keep an eye on the aftermath of the Executive Order for updates and published revisions.