On May 12, 2021, President Biden signed an Executive Order (EO) to improve U.S. cybersecurity standards and further combat cyber threats against the nation. Though the EO focuses on Federal agencies and their private contractors, it encourages private sector companies to follow the Federal government’s lead—including ambitious measures to augment cybersecurity defenses and align communication.
This EO comes right on the heels of many high-profile and damaging cyberattacks, like the SolarWinds and Microsoft Exchange breaches as well as the recent Colonial Pipeline hack. It’s clear the industry has truly taken this onslaught of incidents as a wake-up call—and official orders from the government are a welcome improvement—but it does bode the question: could it be too little, too late?
Spoiler Alert: Probably. This will be a slow rollout—and we’re already a bit behind the ball. It’s encouraging to see the White House join in the effort to bolster cybersecurity, but it’s one thing to decree these initiatives with Federal backing; it’s another to really put them into action. As an IT service provider, the onus is on you to put these words and recommendations into action.
Top Takeaways from Biden's Executive Order
Here are the seven key takeaways and requirements from the Executive Order that you should know about.
1. Removing barriers to sharing threat information
Information sharing parameters between the Federal government and the private sector will change. Contractual barriers will be removed, which means that not only are IT service providers able to share information with the government; they’re required to inform the government whenever a breach that could impact government networks occurs.
Huntress Hot Take: This is probably one of the most impactful elements of this Executive Order. We all know that the cybersecurity community is stronger together—and better communication and information sharing on vulnerabilities, breaches, new nation-state threat groups, etc. will benefit the industry as a whole.
This particular section also just marks a positive step in transparency between technology vendors and government organizations. And due to its nature, it’s probably not a bad idea to tighten up your incident response plans and/or disaster communication policies. It's better to have those solidified before the government comes knocking at your door or asking questions—plus, it will make for a much more coordinated response.
2. The government will adhere to more secure and modern approaches to cybersecurity
It’s about time, amiright?! It’s great to see the government bring attention to the importance of dynamic security and evolving with the threats around us—and this section specifically outlines a modernization movement to secure cloud services, a zero-trust architecture, multi-factor authentication and encryption.
But dare I say these are bare minimum standards? It seems like almost every cybersecurity incident happens because of a disregard for security basics—such as a lack of two-factor authentication, weak password policies... the list goes on. As hackers continue to smarten up and evolve their tactics, we need to keep raising the bar and going beyond the basics instead of merely keeping pace.
This is especially important for the IT service providers who are catering to the small to midsize market. You can bet that the successful techniques hackers use on larger organizations will be used against your clients. But the good news is that your clients are much more agile than the Federal government—so it’s time to have those conversations and enforce these higher standards while the iron is hot.
3. Improving supply chain security
The government will require new security standards for software sold to the government, and security data for the software will need to be publicly available. Supply chain security has been a long-standing problem, so it’s nice to see this can isn’t getting kicked further down the road.
Huntress Hot Take: If you’re an IT provider working on government contracts, you’ll need to make sure you adhere to these new standards. And even if you aren’t, this is an opportunity to take a good look at your own stack and critical software and ensure these security standards are integrated from the ground up. Whether you’re auditing your stack or looking to new vendors, supply chain security should be another checkbox on your list of requirements.
4. Establishing a Cybersecurity Safety Review Board
The administration will create a new board—which will be staffed by individuals in both the public and private sectors—to investigate major cybersecurity incidents as well as make concrete recommendations for improvement. As a bit of background, this board will be modeled after the National Transportation Safety Board, which is used to investigate airplane crashes and other incidents.
IT service providers should probably hop on this trend too. There’s a lot we can learn from the past (hindsight is always 20/20), so it might be a worthwhile exercise to document the lessons learned from significant cyber incidents—whether it be forming a board or your own or just implementing a better review/debrief process.
5. Creating a standard playbook for incident response
The EO calls for the creation of a guide for use during a cyber incident to ensure swift action is taken to mitigate damage. The guide will also be made available for those in the private sector to adopt.
Huntress Hot Take: You can’t wait until you’re compromised to figure out how you’re going to respond. That’s why we created this Incident Response Tabletop-in-a-Box—to help you go through the motions and test your incident response proficiency before it’s too late.
6. Improving detection and response
The government will implement endpoint detection and response (EDR) for all federal networks… which is music to our ears! EDR ensures malicious activity can be monitored and that threats can be quickly identified—and that’s so important given how hackers are easily evading preventive security measures.
I won’t harp on this one too much, but at minimum, this is a perfect conversation starter for convincing clients of the need for protection beyond antivirus and other basics. If “proactive detection, cyber threat hunting, containment and remediation” are important enough terms to be penned on the President’s desk, it’s absolutely worth incorporating into your clients’ cybersecurity strategies.
7. Improving investigation and remediation
The EO calls for improving the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. It also sets forth cybersecurity event log requirements for federal departments and agencies to better detect and prevent intrusions as well as to determine the scope of incidents that have occurred.
Client Conversation Starters
It’s not every day that you have an opportunity to take a major news headline and bring it to your clients’ backyard. Whether clients come to you for questions or you're looking to start an upsell conversation, here are some talking points to discuss the EO’s relevance with your clients:
- “If hackers can get SolarWinds, Microsoft Exchange, and even the Colonial Pipeline, they can get you. And they want to! Take DarkSide for example. They're running for the hills because of their ties to the high-profile pipeline hack…but you are a low-profile target. Hackers know your weak points, and they know that if they succeed, the attack will fly under the radar.”
- “If there's one thing that this Executive Order makes clear, it's that layered security is more important than ever. President Biden specifically calls out the need for endpoint detection and response—but that’s hardly a new strategy. The government simply hasn't adopted it yet, but you should. We can’t take three years to secure ourselves against today’s threats. To be more proactive with your security, let's layer up and ensure we have those detection and response capabilities in place before the dominoes begin to fall.”
- “The simple truth is that you can’t afford not to invest in cybersecurity. When your systems go down, costs will add up. Investing in the right security solution today means that you’re saving yourself time and money in the long run.”
Recommended Reading and Resources
For more information regarding the EO, check out these resources:
- The White House, Executive Order on Improving the Nation’s Cybersecurity
- Axios, Biden issues executive order following mounting cyberattacks
- Security Magazine, President Biden signs executive order to strengthen U.S. cybersecurity defenses
- The Hill, Krebs on Biden's cybersecurity executive order: 'It's a really ambitious plan'
Want to chat with an expert on this? Our team is here to help. Get in touch if you have any questions.