On Wednesday May 12, President Biden signed an extensive executive order (EO) on improving the United States’ cybersecurity stature. The E.O. is directed at US federal departments and agencies, and federal contractors, but its impact and resultant standards will likely have a much broader impact across global critical infrastructure sectors and related technology suppliers.
Influenced by a series of serious cyber-attacks, the E.O. acts as an acknowledgement that the United States will continue to face sophisticated cyber threats and progressively more severe impacts. Recent attacks affecting SolarWinds and Colonial Pipeline, in addition to attacks on healthcare and other critical infrastructure sectors, have been highly disruptive and have also exposed significant software supply chain vulnerabilities.
And while the directives contemplated in the E.O. will technically apply only to US federal departments, agencies, and their technology suppliers, it’s likely that they will also be adopted by broader categories of buyers and suppliers across critical infrastructure to be used as a “north star” for security expectations.
The US government and private industry alike find it challenging to share accurate and actionable threat intelligence. The E.O. acknowledges the unique visibility that technology providers have into threat activity and seeks to foster more sharing of threat intelligence to advance economic and national security across sectors. Additionally, the E.O. aims to expand breach notification expectations for software product and service providers—an important step towards reducing the window of opportunity attackers have to mount repeatable attacks on multiple targets.
Requirements for US federal agencies to implement zero trust architectures and related endpoint detection, response and logging practices underscore a security strategy reoriented around threat-informed defence. It also acknowledges continual supply chain exposure, encouraging both governmental and commercial sectors to act assuming threat actors will, at some point, achieve initial access.
Although the directives set forth in the E.O. are only in their initial phases, it’s not too early for technology suppliers to begin preparing. In the spirit of not reinventing the wheel, existing purpose-built secure software frameworks like the NIST Secure Software Development Framework (SSDF) and the Building Security in Maturity Model (BSIMM) serve as valuable starting points in assessing preparedness for likely new standards resulting from the E.O. suppliers should also look to guidance from the NCSC on supply chain security and the associated Cyber Assessment Framework, but as the 2021 Cyber Security Breaches Survey from DMCS highlighted, less than 15% of UK organizations currently maintain a formalized vetting process for their digital supply chain. This reality underscores the magnitude of the cybersecurity challenge facing suppliers.
Software producers will also be expected to have a more substantial understanding of how their software is authored, tested and secured. This includes maintaining an accurate record for the origin point of each software component used in the creation of an application, corroborating testing outcomes and risks mitigated during testing and implementing automated processes to maintain trusted software supply chains throughout the software life cycle. A Software Bill of Materials (SBOM), a key aspect of the E.O., offers a common framework for documenting and communicating the elements of a given application to reduce code opacity, particularly for third-party open source components.
Technology providers must also anticipate being targets of a cyber-attack, implement a threat-informed defence and apply and validate controls based on anticipated malicious behaviours. Understanding the anatomy of recent supply chain attacks and their associated tactics, techniques and procedures (TTPs) ensures that defenders are better able to minimize risks to the software that powers their business operations.
For their part, technology buyers should start reviewing security frameworks such as the SSDF and BSIMM and operational guidance from the NCSC with an objective to incorporate them into contractual requirements and SLAs with suppliers. Don’t neglect independent validation and verification testing, as well as breach notification strategies, as in any supply chain the weakest link may not be within your organization.
An SBOM positions a buyer to identify risks associated with components used within each application, such as vulnerabilities disclosed through the US National Vulnerability Database, a centralized public database of software vulnerabilities. Since vulnerability disclosures will occur throughout an application’s lifespan, implementing a continuous monitoring process that identifies new disclosures related to the contents of an application’s SBOM is key to maintaining a fully patched deployment. Buyers should look to suppliers for attestations when there is any question of applicability of any given weakness, vulnerability, patch or associated mitigations.
And finally, technology buyers and producers need to consider zero trust deployments whereby users are granted access to a network service for a specific task and must reauthenticate for new tasks, and where continuous monitoring for anomalous activity is in place. Security planning should also reflect zero trust principles within the enterprise and software lifecycle to eliminate implicit trust in any network node or access point. Doing so complicates an adversary’s efforts to identify single points of weakness among interconnected traditional network boundaries, development environments and cloud-enabled services.