![Executive Order on Improving the Nation's Cybersecurity (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F8797f03a-a50b-11ea-b6c0-87ebb093948d%2Fimage%2Fhacking-humans-cover-art-cw.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
Transcript
Rick Howard (0:02)
You're listening to the Cyberwire network, powered by N2K.
Nyla Genoi (0:11)
And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.
Rick Howard (1:31)
The word is President Biden's Executive Order on Improving the Nation's CyberSecurity spelled in three parts Executive Order as in a United States President's formal directive that has much of the same power as the federal law Improving as in enhancing and finally the nation's cybersecurity as in the federal government's security posture. Definition President Biden's May 2021 formal compliance mandate for Federal Civilian Executive branch agencies, or FCEBs, to include specific short term and long term deadlines to designed to enhance the Federal Government's digital defense posture. Example Sentence by law President Biden's Executive Order on Improving the Nation's Cybersecurity applies only to the federal government and its systems. By extension, though, it applies to the thousands of government contractors and subcontractors that provide IT services to the US government. Origin and context On May 12, 2021, the United States President Joe Biden signed Executive Order 14028 mandating that all Federal information systems meet or exceed specific standards and requirements for cybersecurity to include and this is a long list, so bear with me Improvements to the Federal acquisition regulation or FAR streamlining the FedRAMP process mandating that software vendors provide a software Bill of Materials, or SBoM for products sold to the government and submitting to some kind of software review Streamlining cybersecurity information sharing internally among Federal civilian Executive branch agencies and with cloud service providers Budgeting plans for implementing a Zero Trust architecture Accelerating deployment to secure cloud services building a data analytics capability across the Federal government and hiring the necessary people to manage everything Publishing strategy and guidance on cloud security Developing procedures or playbooks for interagency incident response Developing government communal services that branch agencies can use during a crisis Deploying multi factor authentication deploying encryption at rest and in motion and deploying Endpoint Detection and Response or EDR Defining what critical software is and additional security requirements for software that meets those requirements establishing consumer IoT device labeling requirements Establishing a cyber Safety Review Board of government and commercial practitioners to review and assess significant branch agencies cyber incidents and finally, a mandate for all branch agencies to participate in some kind of continuous diagnostic and mitigation process program. Whew. That's a lot the Executive Order is arguably the most comprehensive federal cybersecurity enhancement program in the history of the United States. And these are not just suggestions. Each plank in the plan comes with short term and long term deadlines that are due mostly in 2021 and 2022. That's the good news. The bad news is that presidents have tried this in the past without much success. On February 12, 2013, just before the State of the Union address, former President Barack Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity. It focused on three key information sharing, privacy, and the adoption of cybersecurity practices. But years later, according to Taylor Merting from CSO Online, experts agree that while President Obama put time, effort and political capital into improving cybersecurity, the results are not encouraging. Ultimately, it didn't accomplish the goal of making either government or the private sector more secure. As an example, on President Obama's watch, one or more Chinese nation state hacker groups breached the Office of personnel management, or OPM, and exfiltrated the personal data of nearly 22 million federal employees, arguably one of the most successful cyber espionage operations known by the public conducted in the last decade. That said, President Biden's Executive Order is even a bigger swing than President Obama's, and the things he's asking for are all capabilities that the federal government needs. We will be watching closely and wish him all success in this endeavor. Nerd Reference On 16 May 2021, President Biden spoke to the press about the Colonial Pipeline ransomware attack and the need to make infrastructure more resilient. At this press conference, he announced his Executive Order on Improving the Nation's Cybersecurity and described the goals behind it.