Since December, the US has been in a cybersecurity crisis following FireEye’s bombshell that Russian hackers implanted espionage malware throughout US private sector and government networks through the SolarWinds supply chain hack. Despite growing pressure from Congress, the still-new Biden administration has released few details on how it plans to respond to this massive intrusion or the more concerning discovery in January of widespread and scattershot attacks by Chinese state operatives on Microsoft Exchange email server software.
Although the administration reportedly won't release a formal executive order (EO) addressing these and other cybersecurity matters for weeks, Alejandro Mayorkas, the new head of the Department of Homeland Security (DHS), did reveal that the administration is working on nearly a dozen actions for the order. Meanwhile, some details of the order have leaked, generating mostly skepticism among many top cybersecurity professionals.
EO requires breach reporting, software standards, basic practices
According to a draft executive order seen by some reporters and selected experts, government contractors would be required to report attacks on their networks and software to federal government customers within a few days of discovery, much the same way the EU's GDPR mandates data breach disclosures to regulatory authorities within 72 hours of discovery. According to reports, the relevant government customers would then pass on the reported data to DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
The order would also reportedly require federal contractors to meet specific software standards and mandate basic security practices, including data encryption and two-factor authentication. The order ostensibly further requires software vendors to secure their build systems, ensuring the software's disconnection from the internet and tracking the identity of workers who work on the systems.
EO should recognize cloud, embrace new thinking
According to one cybersecurity expert who saw an early, high-level version of the EO, "The first takeaway for me is I'm concerned that there's not enough recognition of the cloud side of things. It's clear that that's going to be a growing vector for future attacks. It is in some ways the part of this risk landscape that we have the least good information about in any detail," the source tells CSO on background.
"Security standards are great, secure development is good,” the source adds. “It's important. We've been debating this for 20 years. I haven't seen the EO in its full text, but I'm concerned that we don't know enough of how much these new policies around secure development have learned the lessons from what's been tried before."
The source also expressed concern about how critical and non-critical software are defined. "There needs to be a lot of focus on what exactly constitutes critical software."
The EO should focus on new ways of thinking instead of relying on the old and thus far unsuccessful security methods. "What I'm hoping, but I'm not necessarily optimistic about seeing a lot of in the EO, is 'Hey, we need to think about this differently. It's not just about telling people what to do,’" the source says.
Mandatory breach reporting could waste time
Some experts worry about the burdens imposed by mandatory breach reporting requirements, particularly if software and hardware providers are obligated to report incidents within days. "We have to be very careful because many times we have false positives," Carlos Perez, practice lead, research, at TrustedSec, tells CSO. "We have such a short time [if, for example, the reporting requirement is within three days]. Sometimes it won't be enough for some contractors that don't have a security team. Or all of a sudden, somebody opened an email, and the attachment looked funny, and now they're going like, 'Oh, we have a three-day ticking time bomb for us to find out if this was truly malicious or not.'"
Ang Cui, founder and CEO of Red Balloon Security, agrees. "It's just going to waste a lot of people's time," he tells CSO. "If we have a detection system that reports false positives and everybody kind of punts that upstairs, what is that really going to do to improve the security of the infrastructure that we care about? You're just imposing additional costs and bureaucracy and paperwork on the thing."
"What I think we should do is stuff that actually improves the security of these devices," Cui says. Trying to stop the same type of software supply chain hacks that happened in the past "is not actually going to do much for real security for a ton of reasons. But basically, it's saying let's pass a law that prevents exactly the same thing that happened yesterday."
As far as mandating software build requirements and tracking the people who worked on the software, Cui is equally skeptical. "Just because you track human beings, it doesn't mean that person writes secure code. Is it going to waste a whole lot of time and resources? Probably."
Will the government make the same security mistakes again?
Karim Hijazi, Founder and CEO of cyberintelligence company Prevailion, fears that the federal government might make the same mistakes that it has in the past. "I worry that we keep repeating the narrative," he tells CSO. "It's Groundhog Day in the industry once again. I was around watching Einstein [a situational awareness system created within DHS] come online, and I was hoping dearly that it would be a good information-sharing effort. It's been nothing but a waste of time and money."
The real problem is not identifying vulnerabilities in systems but knowing that an adversary is already inside a network, which Hijazi contends is the case for virtually every major organization. "We need continuous awareness of what's going on so that we don't have something fester for six months. The dwell time of that adversary in these environments, as we see here, makes this absolutely insurmountable over time. The more embedded they are, the more you have to start from scratch."
Hijazi is not optimistic that the Biden administration's EO will advance the ball to better cybersecurity. "At this stage of the game, you're asking the same people to dust off the same playbook over and over again. They should allow the entrant of some fresh blood; some harder questions being answered."
Like many other cybersecurity professionals, Hijazi doesn't have a lot of faith that the federal government is qualified to handle hacks on the SolarWinds or Microsoft Exchange scale. "When SolarWinds happened, we got a call set up with CISA. They canceled our call because they were in the throes of being compromised themselves. Then the Department of Energy called CISA saying ‘we need help.’ CISA said, 'We can't help right now. We're busy with our own problems.' And now you guys are in charge of coming up with a solution?"