Biden’s Cybersecurity Executive Order Could Change IT Security

Since President Joe Biden took office in January, his administration has been fighting multiple cybersecurity fires that seem to come one right after another—including the cyberespionage campaign that targeted SolarWinds and, more recently, the ransomware attack that took down Colonial Pipeline Co. for nearly a week.

In an attempt to get these security issues under control, the White House has taken a two-prong approach. The first is a set of sanctions aimed at Russia, which the Biden administration blamed for the SolarWinds supply chain attack as well as interference during the 2020 U.S. elections.

The second is a 30-page executive order, signed by Biden and published May 12, which looks to completely transform how federal agencies approach cybersecurity. The order not only includes new mandates for how departments must deploy security technologies such as multifactor authentication, but also how the federal government buys and consumes software. 

The overall goal of the order—officially called Executive Order on Improving the Nation’s Cybersecurity—is to improve cybersecurity by modernizing the government’s IT infrastructure, which includes a greater reliance on cloud computing services and the use of zero trust architectures for networks and infrastructure.

“So today’s executive order makes a down payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely,” according to a senior Biden administration official who briefed reporters before the executive order’s release. “It reflects a fundamental shift in our mindset—from incident response to prevention, from talking about security to doing security—setting aggressive but achievable goals to make the federal government a leader in cybersecurity, and improve software security and incident response.”

The release of the order was welcomed by most analysts and industry watchers in the cybersecurity industry as a needed and necessary step to shore up the government’s infrastructure. Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Security Agency, called it an “ambitious plan” and said, “It should be effective if implemented properly.”

For IT and security professionals, the executive order offers fresh ways to think about cybersecurity, whether working in the federal government or the private sector. And while the order will mainly affect federal agencies – especially in how they will evaluate and purchase software in the future – these changes are likely to have wide-ranging consequences across multiple industries.

“Over the next nine to 12 months, there will be federal guidance and enforcement for vendors through National Institute of Standards and Technology to comply with practices to enhance the software security supply chain, including secure software development environments, ensuring source code integrity, regular application security testing and remediation, ensuring software provenance, publishing the software bill of material and ensuring the provenance of open source components,” Setu Kulkarni, vice president of strategy at WhiteHat Security, told Dice. 

“These are the areas where IT and security professionals have a duty and opportunity to ensure that the software and services they are developing are ready to meet the stringent requirements that will come about as a result of the executive order,” Kulkarni added.

Focus on Cloud and Skills

The sprawling executive order makes clear that the Biden administration wants to modernize as much of the federal government’s IT systems as possible. This means relying more on cloud infrastructures, services and apps as well as embracing concepts such as zero trust to help reduce the threat of breaches and attacks.

With this focus on cloud, executive branch agencies in the federal government will also have to adopt multiple cybersecurity tools and best practices for protecting data. This includes multifactor authentication and encryption as well as endpoint detection and response (EDR) to not only protect devices but also as a way to better share data and threat intelligence.

Mohit Tiwari, co-founder and CEO at Symmetry Systems, noted that this push to move away from on-premises systems and into the cloud, which will also likely include highly regulated workloads, is likely to open up career opportunities for IT and security professionals who understand how cloud architectures work.

“Moving forward, cloud-based security techniques will continue to be critical. These include learning to work with cloud-native identity and access management (IAM), large-scale log analysis and alerting techniques, NIST and similar compliance frameworks, and broadly learning to manage infrastructure through structured programs, instead of shell scripts pieced together,” Tiwari told Dice. “As networks and application tiers become ephemeral, the most important persistent asset for any enterprise will likely be their own and their customers’ data—so data security on the cloud will be a major theme going forward.”

John Morgan, CEO at Confluera, noted that the sharing of data between government agencies and the private sector is another significant step and one that will require a fresh way of understanding how systems operate and communicate with each other.

“A key focus in the recent executive order by President Biden is the need to share information across organizations and tools,” Morgan said. “Removing the barrier to cyber intelligence had been a key area of focus for many in the cybersecurity industry. Now, with a renewed focus by the government, IT professionals can expect an increasing need to integrate and interoperate different cybersecurity tools. Organizations will seek to augment or complement existing solutions with new technologies for a much-improved overall security posture.”

Bert Kashyap, CEO and co-founder at SecureW2, noted that the executive order would not only pave the way for those IT and security pros who know the cloud, but also those who can help move workloads from on-premises systems to more modern architectures.

“From a government perspective, if you are tasked with maintaining legacy infrastructure day-in and day-out, there is a whole set of skills to keep that existing infrastructure up. Where people need to boost skills sets, is where this legacy to cloud transition needs to happen,” Kashyap told Dice. “Learning how you can take the existing infrastructure to harden it and then transition it is the most relevant.”

Supply Chain Security and Software

Another part of the executive order that is getting attention is how federal government agencies evaluate and purchase software. This is one of the most direct attempts to address the type of supply chain attack that targeted SolarWinds and the company’s customers, including nine federal agencies and 100 private firms.

The order offers three major changes to how government departments must approach software purchase decisions: Agencies must now create baseline security standards for software, which includes requiring developers to offer more visibility into their applications and make security data available; agencies must develop requirements for making sure vendors address security as software is developed; and finally, the government will create a pilot program for an “energy star” type of label signifying whether software follows these new security guidelines.

WhiteHat Security’s Kulkarni noted that these requirements are going to open up whole new opportunities for IT and security professionals who understand how the federal requirements will work and how that will change software development.

“The most important role that will need to be filled, however, is what I call a ‘security product manager’—someone who can understand the myriad of federal guidelines, in addition to other commercial and industry requirements—around the bold actions and translate them into business and product requirements that vendors need to implement,” Kulkarni said.