Cyber EO makes timely delivery of cyber resilience a top priority
Service providers and device manufacturers should, as a best practice, build in and assure the highest safeguards in cybersecurity in their products. This is something that we here at Mender.io take very seriously and have enshrined in our product design through the Triangle of Trust™ which seeks to ensure that only “the right people, make the right changes to the right edge devices”.
The threats are all so real and persistent, we saw this with the recent ransomware attack on the IT systems of the Health Service Executive (HSE) in Ireland. And this attack followed hot on the heels of the ransomware attack on the Colonial Pipeline in the US. The threats to physical and mission-critical public and enterprise infrastructure are clear and present.
Zero Trust infrastructure
In response to the clear and present dangers, the US Federal Government is upping the ante, It is increasing its cyberresilance with similar moves toward “Zero Trust Architecture,”. What is important to note is that this is all being done with a strong sense of urgency. In fact, new legislation signed into law sets a 180-day deadline for all Federal agencies to adopt multi-factor authentication and data encryption practices. This applies to both data at rest and in transit. Progress reports will also have to be produced and submitted within this aggressive timeframe. Clearly, President Biden and his administration mean to get tough and stamp out cyber threats in light of Solarwinds and the Colonial Pipeline attacks. The Department of Commerce (NTIA) gets 60 days to produce a software bill of materials with a minimum viable specification for the expectations around the integrity of the code at the root of the software supply chain.
Signed on May 12 last, the Cyber EO lays out a roadmap for congressional cybersecurity legislation that will apply directly to private sector companies that avail of Federal service contracts, and indirectly to their sup-suppliers. This legislation is mainly about industrial-grade IoT products and less so about consumer IoT products. In saying this, new labels will be introduced for consumer products to inform and educate on the steps taken by providers to ensure cybersecurity resilience.
What is in Cyber EO?
The Cyber EO will establish secure development guidelines for software sold to the federal government, prioritizing “critical software” and its security. Critical software is defined as software that performs functions critical to trust such as “affording or requiring elevated system privileges or direct access to networking and computing resources.”
The legislation uses the Federal Government’s procurement power to help accelerate the achievement of these operational goals, and by changing the private sectors’ attitude to building cybersecurity protections into their products. The onus now falls onto the shoulders of the private sector to implement cybersecurity best practices and supporting technical and social frameworks to minimise risk. They have an incentive in being able to win Federal Government contracts. Immediately, Operational Technology (OT) and IT suppliers to the Federal Government will have to demonstrate greater transparency in showing how their products and services can resist cybersecurity attacks. This will likely be written into most contracts given out by Federal Government procurement agencies.
Cyber threat and incident information sharing
Contractors and suppliers to federal government agencies will also be compelled to share more information on cybersecurity threats and incidents with their customers in the Federal Government. They will be required under the law to collect and preserve data relevant to cybersecurity events, including “event prevention” information; and they’ll have to share such data directly with federal agencies with which they have contracted, and any other agency designated by Office of Management & Budget, when that relates to a cyber incident or potential incident.
They will also have to collaborate with federal cybersecurity or investigative agencies in their investigations and responses to incidents or potential incidents; and be proactive in sharing cyber threat and incident information with federal agencies. The Department of Homeland Security will work with the Office of Management of Budgets (OMB) to ensure that “to the greatest extent possible” service providers comply diligently with the requirements, and share all data necessary for federal agencies to respond to cyber threats, incidents, and risks.
New reporting procedures, which will be developed within 90 days of the Cyber EO, will ensure that providers “promptly” report incidents involving a software product or service provided to federal agencies, with a maximum three-day deadline for the “most severe” incidents.
The Cyber EO also sets out a system of product labels to maximize participation by manufacturers. NIST will create pilot consumer-labeling programs for IoT devices and secure software development. The label will be similar to the “energy star” label. It is debatable whether this is the right approach, as it could encourage providers and customers to use checklists to manage security. When really the proper strategic approach is to meticulously assess all risks and plan to mitigate against those risks accordingly.
Effective legislation from the Federal Government has arrived in the form of Cyber EO. It creates incentives and compliance paths for IoT service providers and device manufacturers to ensure that their customers are protected with the highest levels of cyber resilience in their products and services. It also ensures that the transparency and speed of response to cybersecurity threat vectors and attacks will be applied to all.