COMMENTARY: At the 11th hour of his term, former-President Joe Biden signed a last-minute cybersecurity executive order (EO) on Thursday, introducing several new requirements aimed at strengthening U.S. national security.
Building on prior White House initiatives aimed at enhancing software security—such as his cybersecurity EO from 2021—the new directive takes these efforts even further.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
And, while many of the updated requirements mark a step in the right direction, they also raise some important considerations that the cybersecurity community will watch closely in the coming weeks and months. Here’s a closer look at what we can expect.
- AI-enabled cyberdefense: Biden’s new EO puts a large focus on AI use for cyber defense. In addition to prioritizing items like AI security research and the design of secure AI systems, the federal government has also been tasked with accelerating the deployment of AI for critical infrastructure, including the energy sector and the Department of Defense. However, limiting the program exclusively to critical infrastructure is disconcerting. It’s potentially a missed opportunity to support dozens of other FCEB agencies, many of which are on the frontlines of grappling with increasingly sophisticated and targeted cyberattacks.
- Threat hunting: It’s encouraging to see the EO’s proposed establishment of government working groups to conduct more threat hunting and EDR in federal networks. While CISA was granted authority to conduct threat hunting on FCEB networks in 2020, political friction has in many ways stunted the progress of this initiative. With the new requirements in this latest EO, it’s promising to see a doubling-down effort on threat hunting. However, threat hunting goes hand-in-hand with visibility, and it will be interesting to see what guidance CISA releases around how visibility gets defined and promoted. I think there’s an opportunity here to open up the aperture when it comes to defining “visibility.” For example, we should not limit visibility to EDR. While EDR detects adversarial activity at the endpoint, in reality, most attacks don’t necessarily originate on the endpoints themselves. Rather, the exploitation of the user and/or the application is typically where to find patient zero. Email continues on as the No. 1 threat vector facing organizations today, and it’s the root cause of the vast majority of federal incidents and breaches.
- Phishing-resistant authentication: The Biden EO’s emphasis on prioritizing phishing resistant authentication through pilot programs makes sense. Phishing-resistant authentication options, such as multi-factor authentication (MFA), are fundamental for mitigating email attacks like phishing and business email compromise. MFA has long been considered the gold standard for protecting accounts, and while it’s a foundational security measure, it’s not a silver bullet. Today’s savvy cybercriminals are skilled in getting past MFA using various bypass techniques, which means organizations need to remain diligent about layering MFA with additional detection, prevention and remediation strategies. As such, we should expand the scope of these pilot programs to include other capabilities we can use in concert with phishing-resistant authentication options like MFA.
- FedRamp modernization: The EO stipulates FedRAMP policy updates to incentivize cloud service providers in the FedRAMP Marketplace to configure cloud-based systems based on agency requirements. We’ve needed enhancements and modernization to the FedRAMP program for many years. However, existing processes are already bogged down with limited resources to process FedRAMP submissions in a timely manner. It has created a shared frustration for both cloud service providers and the federal government, while stalling the deployment of cutting-edge technologies. In an ideal world, the new requirements are paired with efficiency improvements to prevent further slowdowns across the FedRAMP Program Management Office.
- Digital identity documents and validation services: The push for digital identity documents and validation services promises to accelerate the rollout of private-sector technology to increase government efficiency and reduce fraud. It opens the door to mobile driver licenses and the launch of an early-warning fraud pilot that could notify citizens of fraud incidents involving their public benefits and payments. While these requirements offer enhancements to processes surrounding public benefits, they also come with potential risks. Public sector organizations may need to prepare for spikes in identity-based fraud, for example, and figure out how they protect a deluge of personally identifiable information from being exploited by adversaries.
Overall, the signing of the last-minute EO was an encouraging move toward developing stronger national security practices. We should applaud its effort to foster specific, time-bound requirements that can help enforce timely adoption, industry collaboration, and accountability.
However, there’s still space for both the federal government and security vendors to take it even further – namely by broadening its scope across even more use cases and security technologies, while looking for areas to improve.
Time will tell whether the EO holds in the incoming administration, but it includes best practices that the industry should consider adopting, regardless of whether they are enforced moving forward.
James Yeager, vice president, public sector, Abnormal Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
