Interpreting Biden’s New Cybersecurity Order

Heinz College: This past Wednesday, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. How do the standards established by this executive order compare to other existing cybersecurity standards, such as the NIST (National Institute of Standard and Technology) Cybersecurity Framework?

Randall Trzeciak: When we talk about the NIST Cybersecurity Framework, these are generally accepted recommendations or best practices of what you should do. This executive order puts some authority into these recommendations and best practices by establishing what you must do. It clearly sets forth what private companies working with the federal government will held accountable for. It provides a clear timeline and reporting mechanism for organizations to follow. In addition, it also looks internally at government agencies and prompts them to collaborate better to exchange information across different agencies and different entities.

HC: Why is cross-agency and cross-department collaboration and information sharing so important?

RT: When it comes to anticipating and responding to these threats quickly, a lot of that depends on the type of threat intelligence that’s being collected, the format of the data, and the mechanism by which that information is shared. For example, let’s focus on the energy sector. When the government works on energy supply protection with private sector organizations, I do believe there's great communication within that domain. But the lessons learned by the energy sector can and should be shared with the Department of Homeland Security and other departments and agencies, particularly as the techniques, tactics, and protocols behind cybersecurity threats change so rapidly. But right now, when you start moving across the agencies, that's where we start seeing those technology challenges that are limiting the effectiveness and timeliness of data being shared. By modernizing these systems, the executive order will allow departments and agencies to work together at the speed that is necessary to share threat intelligence and respond effectively to cyber incidents. 

HC: The order also standardized the federal government's cybersecurity standards, which includes utilizing secure cloud services, multifactor authentication, and encryption.

RT: Right! And this is more about maintaining consistency, as opposed to saying that these organizations haven’t been implementing these technologies. So again, the executive order is asking organizations to move beyond implementing recommendations, and now saying that this is what you must do. It provides accountability, with a clear timeline for implementation. Importantly, that accountability extends to the private sector. 

HC: On the subject of the private sector, a significant portion of our domestic critical infrastructure is currently owned and operated by the private sector. What advantages and challenges does this present?

RT: Just think about the Internet. A majority of the Internet is not owned by a government organization. It’s owned and operated by private organizations. So, the resiliency and dependency of the Internet relies on a decentralized model. But as you look to critical infrastructure, the federal government’s ability to deliver services through that infrastructure really does benefit from using private sector organizations that specialize in one specific domain. In some cases, private sector organizations can do it more efficiently and effectively from a cost and security perspective. There’s also a significant advantage to relying upon the private sector to build it, advance it, and keep it to a standard that utilizes leading edge technology. From the public side, there’s a reliance upon private sector organizations for critical infrastructure, as a majority of what is deployed via information technology and operational technology is owned, operated, managed, and maintained by private sector organizations. So, private-public partnership is essential.

HC: What is the private sector’s role in cybersecurity responses, and how will the executive order affect this?

RT: When a cybersecurity incident is detected, a fast recovery involves input from the public and private sectors, as well as law enforcement organizations. The intent of the executive order is to remove the barriers to sharing threat intelligence both prior to and during an incident. This isn’t just important for the public sector. On the private side, every minute that a critical service isn’t functioning equates to revenue potentially lost on the part of that particular organization. 

HC: In the White House’s official statement, there was an emphasis on the fact that a lot of the standards set for the federal government were intended to serve as templates for the private sector more generally. How do you see this rippling out from the public sector to the private sector?

RT: Keep in mind that security is a cost function. It’s a not a revenue-generating function. So, organizations have to decide what's an acceptable amount of risk they’re willing to assume when delivering critical services. To that end, there is also a degree to which implementing a certain level of security is not operationally efficient or impedes the user’s experience. Often, private sector organizations will sell security as a service or a feature in products. You’ll hear companies talk about how they never been breached and present accolades that show that they are secure. Then, once a breach has occurred, the reputational damage is significant. This can result in lost revenue and customers. So, the “carrot” to the private sector to adhere to the government’s cybersecurity standards is the competitive advantage of being secure. This order also provides the “stick,” which are the penalties for not adhering to those standards. Private companies that do not comply with these standards may no longer be able to work with the U.S. government.

HC: What would you say to someone who says that this might stifle innovation by adding yet another layer of regulation and compliance?

RT: I would say that security should have always been built in as one of the core requirements of innovation. In the software development lifecycle, there’s a term called SecDevOps, which refers to security, developers, and operations all being involved in the software development lifecycle. This means that security requirements should be included at the beginning of a project, because the later in the development, testing, deployment, and/or maintenance lifecycle that you find a vulnerability, the costlier it is to fix. So, initial investments into security will likely result in significant dividends in terms of avoiding future costs. I would also tell them to think about the organizations that have been victims of breaches. Think of the reputational damage, lost trust, lost customers, lost revenue, and in some cases, the health or safety issues caused by a cybersecurity incident. If an airplane’s navigation system shuts down due to a security vulnerability, this could result in the loss of life. This is why we need to build security in at the very beginning, as opposed to waiting to find out if additional security is needed after a product is deployed.

HC: The executive order establishes a Cybersecurity Safety Review Board modeled after the National Transportation Safety Board. How does the combination of representation of both the public and private sectors strengthen the efficacy of boards like these?

RT: I think it's a great opportunity to distill lessons learned from across the federal government into one board. It allows coordination across these organizations that are all stakeholders in responding to cyber incidents, so they can come together and say, “what can we do? What did we learn from this incident? How can we prevent these types of incidents in the future? What did we learn as part of the incident response? Which data should we be collecting? What can we do better from an efficiency standpoint prior to an incident, during an incident, and after an incident?”

HC: How might someone who is not a government employee or cybersecurity professional experience the effects of this executive order?

RT: The executive order talks about transparency, including within the “Internet of Things.” In particular, putting “brand labelling” on IoT devices. Just as a food product label explains the nutritional information of what you’re eating, these labels would explain what has gone into the software included in IoT products. The brand labeling may provide security assurance and it might include results of security assessments. If implemented appropriately and consistently, this may provide consumers some confidence in the safety of that particular device. Right now, IoT devices come with an instruction manual for the device. For example, a smart refrigerator may come with instructions on how to use the refrigerator, but it may not discuss how the refrigerator uses the Internet. It also might not explain the security mechanisms that need to be followed to fix vulnerabilities that may be identified during its use. It may not spell out what the consumer’s responsibilities are to protect the device and the network that the refrigerator connects to. When the recommendations included in the executive order are implemented, consumers may have more information provided to them as it relates to the security of the IoT devices within their homes.

***

Learn more about Heinz College's cybersecurity master's degree and executive education programs:

• Master of Science in Information Security Policy & Management (MSISPM)
• Chief Information Security Officer (CISO) Certificate Program