In the wake of cyberattacks like SolarWinds, Colonial Pipeline, and JBS Meat Packing, President Biden’s Executive Order is a salve on a gaping wound. Launched on May 12, 2021, the Executive Order (EO) outlines the desperate need for the Federal Government and private companies alike to tighten their cybersecurity infrastructure by focusing on modernization and securing zero trust architecture models, improving software supply chain security, and intel threat sharing. As Michael Echols stated in a previous Reimagning Cyber Podcast, “The Government isn’t here to save you.” The Executive Order puts the onus on the Federal Government to lead the charge but expects companies to play their part and tighten up their cybersecurity infrastructure and protect their “crown jewels.”A recent shining example of positive momentum came on August 25th at the White House, with several private sector companies stepping up to help bolster cybersecurity capabilities with committements of over $30B+ over the next five years.
Now that the EO has been in place for a few months, we had the privilege of speaking with Nick Ward, CISO for the Department of Justice with the U.S. Government and recent Cybersecurity Leader of the Year award winner. In this week’s Reimagining Cyber podcast episode “Progress over Perfection: Implementing the Executive Order,” Nick shares his view on the Executive Order and strategies being implemented in support of several key elements of the EO.
Zero Trust Architecture Principals
A Zero Trust Architecure (ZTA) can serve as the foundation of a robust cybersecurity program.
“Zero trust sometimes gets a bad name in the cybersecurity world because we often are a bit jaded from the vendor community in terms of, you know, somebody trying to bring some new marketing term and I think it's a mistake for people sitting in seats like mine, where we can use that to help really drive change within our organizations,” says Ward.
Understanding not just what applications are being accessed, on what devices, but by who and where, is critical.
“The real key foundation there is identity. You have to have a good strategy on how are you going to identify the people that are authenticating into your applications and accessing your data,” Ward says.
He also recommends that a ZTA can address questions such as:
- Do you know that the person actually is who they say they are?
- Did the agency that you’re trusting sponsor them in a way that you have a high level of confidence they are who they say they are?
“We can’t let perfection prevent us from making progress in this area,” he warns.
“We've got to be looking at what are the foundational capabilities, build that and start bringing on your applications. If you've got legacy applications, get it brought in. Don't wait five or ten years until you modernize the application. Bring it in now. Isolate the thing, put a proxy in front of it, whatever you got to do, to start leveraging the benefits of zero trust architecture today.”
Protecting the Supply Chain
A prime example of risks software supply chains present became a reality when the SolarWinds attack took place. Supply chain risk management is one of the biggest challenges, Ward says. With thousands of vendors the federal government interacts with, it’s impossible to manage the security of every vendor. So how do you tackle a problem like this?
Ward recommends looking at your most critical vendors. Which ones, if breached, could hurt you the most? He also says changing the industry standards in order to raise the bar across the board will be beneficial for all.
“You can't buy from certain types of vendors unless you've done you know, these kinds of certifications and things like that…we do have to put pressure on ourselves to be introspective and really raise our cybersecurity bars internally. Which will in turn, reap benefits across, you know, both from the customer side and from the supplier side.”
Money talks, as they say.
There are some clear (and understandable) barriers to threat intel sharing, but it continues to be an area that with better collaboration, will truly make a positive impact on how we all (Private and Public sector) can be better prepared to prevent and minimize security incidents.
“A lot of it has to come down to trust…can we trust each other to share the information?” Ward asks contemplatively.
“I think there's a strong desire on both sides to do so. That, I mean, our adversaries, like they're getting better and better, and they're not shy about sharing information. They're selling malware botnets access to my systems and everything else, and they'll share it, sell it however they can commoditize it, and we need to be doing the same thing,” he says.
By sharing threat intelligence, everyone benefits. We become stronger as a unit.
Do you agree with these recommendations? What are you implementing within your organization (and how)? Share in the comments below.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.