By Jean Schaffer, Federal CTO, Corelight
For those of us who have spent our careers working in cybersecurity, President Biden’s recent “Executive Order on Improving the Nation’s Cybersecurity,” (EO) held no surprises. However, it is a step toward accelerating the modernization of public and private infrastructure upon which the nation relies.
I want to highlight sections of the EO that I believe federal agencies should study closely and offer my thoughts, drawing from more than 30 years of cybersecurity experience with the Department of Defense, including dual roles as CISO and chief of enterprise operations and cybersecurity for the U.S. Defense Intelligence Agency (DIA).
Section 1 – Policy
“…the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
We recognize that the government cannot do this alone and must partner with the private sector to develop, acquire and implement the best technology and services from the government and secure critical infrastructures such as energy pipelines, electrical grids, and financial markets. This partnership, however, is often elusive and results in a patchwork system of the government sometimes partnering and sometimes going it alone. This has led to gaps of coverage and inconsistencies across the various departments and agencies, as well as a lack of a cohesive strategy and implementation throughout the government, much less between the public and private sectors. After a full career, I retired from government service and joined the Corelight team to contribute to this very purpose. With its public sector and open source security technology, Zeek®️ roots, Corelight has a track record of successfully partnering with leading agencies to defend their networks. Corelight is developing the best Open Network Detection and Response (NDR) platform to combat cybersecurity attacks and delivering these capabilities to US government entities.
Section 2 – Removing Barriers to Sharing Threat Information
The government will modify the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation (DFAR) to include mandatory cybersecurity sharing language for any IT or OT service provider for the government, including “…the collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control.”
Although the American public may have believed this policy was in place, the reality is that most service providers haven’t been as forthcoming in the past. Due to the fear of negative attention, they felt they could address and mitigate these problems internally. We must move beyond this and believe that we are collectively stronger when we collaborate. Kudos to Mandiant for not only identifying the SUNBURST threat but sharing real-time their discovery and subsequent understanding of the attack to accelerate mitigation actions.
Section 3 – Modernizing Federal Government Cybersecurity
“The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, … centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
There is a lot to unpack with this section and it highlights and builds upon the strategy and momentum of modifying the government’s architecture to take advantage of the cost, performance, and efficiency of multi-cloud environments and to focus on protecting your vital assets/data in a post-perimeter world. It stresses that a multilayered data surface is critical to supporting Zero Trust implementations. And it correctly highlights that to achieve these goals we all need to invest in increasing the cybersecurity workforce and the technology. Corelight recently published a white paper – “Why Zero Trust Requires Uncompromising Network Visibility”- that goes more in depth on this as well.
Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
“The Federal Government shall employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks. This approach shall include increasing the Federal Government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts.”
This is a foundational principle of cybersecurity. Complete coverage of the government’s (or any organization’s) network is vital because you can’t defend what you don’t know! The first thing that an adversary does is a reconnaissance of your network to understand what is being used and identify any weaknesses. This is also the foundational step for defending your infrastructure. All organizations must have strong NDR capabilities, including robust threat hunting capabilities to remediate anomalies before turning them into vulnerabilities.
Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
One of the Zero Trust tenants is to assume that your perimeter-based defense is already breached. Having this mindset forces the cybersecurity defenders to accept the worst and constantly be in the investigative mode. To investigate and remediate you need: “Information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) is invaluable…”
For network data, Corelight’s use of Zeek provides a uniformed, non-proprietary data format, purpose-built for security, resistant to compromise, and designed for interoperability. Combined with end-point data and ingested into a security information and event management (SIEM) system; it provides each government agency with a cybersecurity ecosystem that can be matured to combat the sophisticated cybersecurity threats that our nation now faces.
Section 11 – General Provisions
I would be remiss if I didn’t mention that the new National Cyber Director will have an essential role in leading toward these cybersecurity goals and bringing the private and public sectors together. I can’t be prouder of Chris Inglis for being nominated for that post. He led NSA through the time period following the Snowden leaks and has the knowledge, integrity, and wherewithal to help steer us to a more robust national cybersecurity position.