Though the internet’s rise to omnipresence brought about innovation and prosperity, it also became a vehicle for malicious attacks on our nation’s networks, infrastructures, and our most vulnerable populations. In today’s cyber threat landscape, no target is too small — or too big.
The Colonial Pipeline ransomware attack in 2021 made apparent the potential impact of just one cyberattack. President Biden signed Executive Order (EO) 14028 to bolster national cybersecurity standards in response to this incident — and the steep rise in cyberattacks preceding it.
Let’s face it: pinning down the perfect set of defensive standards is impossible. Malicious actors will constantly evolve and change tactics to evade our cyberdefenses. But EO 14028 gets a lot of things right when it comes to cybersecurity on a federal level. Let’s look at four ways it does this well.
Rather than leave federal systems open to malicious attacks, agencies are now required to operate on secure cloud services with zero-trust architecture. These requirements allow agencies to function with all the convenience and efficiency allotted by cloud services but with minimized human error that allows threat actors to breach them.
Users can only gain access to federal information through multifactor authentication (MFA), which adds several layers of protection to every set of credentials. Cybercriminals would not only need to infiltrate the correct devices, but infiltrate them at just the right time to fake their way into a federal system.
It’s become clear that, while every federal network is interconnected with dependencies (think communities, industries, and critical infrastructure and processes), its safeguards have not necessarily kept up with modern threats. This level of connectivity called for a serious re-examination of foundational cybersecurity standards for all federal agencies.
EO 14028 institutes higher security standards for the software every federal agency uses. Multiple agencies — including the National Institute of Standards and Technology (NIST) — now oversee initiatives to make computing environments safer. In accordance with EO 14028, NIST:
Provided guidance to safeguard software supply chains.
Published minimum standards for software development.
Established security measures for critical software.
Incident response standards also received a much-needed upgrade. Federal departments and agencies now have standard playbooks for federal system breaches — which the Cybersecurity and Infrastructure Security Agency (CISA) has made publicly available for any organization to learn from. The playbooks cover everything, including:
What to do during a breach.
How to contain a threat.
The follow-up steps required post-incident.
Information around a cyberattack can leave a trail of digital crumbs leading to its source and (if we’re lucky) solutions. So the more we can gather as close to that source as possible, the better. That’s where the Federal Acquisition Regulation (FAR) and its closely linked supplement, the Defense Federal Acquisition Regulations Supplement (DFARS), come into play. Executive agencies like the DoD and NASA use FAR and DFARS to acquire supplies and services, including software.
EO 14028 calls for updates to FAR’s and DFARS’s language, requiring vendors to report incidents and share detailed and timely information about cyberattacks. Information on who was attacked, when, and how can be shared with fellow industry professionals and experts to build a solid, united front against threat actors.
Adding to that united front, removing barriers to information sharing allows for more effective communication from many perspectives. So it’s to everyone’s advantage that EO 14028 encourages not only collaboration between federal agencies, but also federal agencies and organizations in the private sector. The Cybersecurity Safety Review Board, comprised of leaders from both worlds, was established under the executive order.
The board convenes after significant cyber incidents to share information, analyze what happened, and recommend ways to prevent or mitigate future attacks. In light of the attack on the Colonial Pipeline, their first meeting focused on remediating its cascade of industrial damage and addressing the vulnerabilities threat actors exploited — particularly in the log4j library.
While EO 14028 isn't an instant fix, it lays solid groundwork for a higher standard of cybersecurity fundamentals at the federal level. Its primary directives leave room for — and even encourage — growth and flexibility in facing down cyber threats. Consistently improving proactive measures, keeping detailed records, and pushing for collaboration will help us, as a country, build upward from there.