“Cyber security is complex” is a tautology, but it doesn’t make it less necessary a statement to make these days. Anyone who has spent time in the trenches knows that lots of teams suffer from big challenges, and that those challenges are rarely solved by yet another appliance or agent. But the paradox in cyber security is that despite this truth we keep applying that very strategy: “with just one more solution, our problems will be solved!” This odd paradox has caused me to liken this scenario to a kid kicking a can down the road…
I bring this up because May 2021 looks to be another tumultuous month for cyber security professionals. Earlier this month an unnamed ransomware group crippled the Colonial Pipeline Company. The attack shutdown the largest oil distribution system in the US. It also resulted in oil and gas shortages up and down the East Coast for several days. But it also brought to the fore the topic of cyber security for the United States' critical infrastructure.
Nearly in tandem with the attack, the current administration also released a new Executive Order. The Order, dubbed the "Executive Order on Improving the Nation's Cybersecurity," is a rather terse few pages proposing some "bold changes" to how the government does business when it comes to cyber security. The proposed changes can be broken down into 8 categories, namely:
- Removing Barriers to Sharing Threat Information
- Modernizing Federal Government Cyber Security
- Enhancing Software Supply Chain Security
- Establishing a Cyber Security Review Board
- Standardizing Government Playbooks for Incident Response and Vulnerabilities
- Improving Detection of Vulnerabilities and Incidents on Federal Government Networks
- Improving the Federal Government's Investigative and Remediation Capabilities
- National Security Systems
It is hard to argue with the outcomes set forward in these categories. But, it is also worth diving deeper into the Order to understand not just the why, who and what, but far more importantly, the how.
Who Does the Executive Order Apply To?
Perhaps the most fundamental question that needs to be addressed is "who does this apply to?"
The Executive Order applies to all organizations classified as Federal Civilian Executive Branch (or FCEB) agencies. This means that the order will not apply to non-civilian agencies, such as the Department of Defense (DoD), or various agencies in the Intelligence Community (IC). However, it does cover a number of significant organizations, including the Departments of Commerce, Energy, Homeland Security, and Justice, along with 98 other agencies. The Order even makes that clear stating:
"... All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order..."
A key limitation, however, is that this is being delivered in an Executive Order. This is because Orders, as opposed to legislation, only apply to the federal government. And this means that the scope of the order is limited to agencies within the federal government and does not apply to state and local governments. This is important as state governments especially have been subject to targeting by numerous cyber adversaries in the past several years. Regardless, the scope of the order is still quite significant.
This makes this Executive Order incredibly far-reaching in its mandate. But what exactly is it mandating?
What is Being Mandated...
Let's be clear, while the Executive Order is relatively light reading by government standards, it still contains a lot of material to process. While much of the material contained in the Order is administrative in nature, there are a few significant elements.
...for the Private Sector?
The majority of the order focuses on the public sector. But, there are orders to review the Federal Acquisition Regulation (FAR) contract requirements with an eye towards cyber security delivered to the government from the private sector. This includes regulations around data preservation, the sharing of "cyber threat and incident information," as well as mandating the "... implementation of technical capabilities, such as monitoring networks for threats ..." The concerning part is that is all that is mentioned.
As anyone in the cybersecurity industry can attest, vague statements yield vague results. Having the order, for instance, mandate "data preservation" without specifying a minimum duration and from what devices, is likely to lead to different definitions depending on which side of the fence you're on. Similarly, mandating the implementation of "technical capabilities" while only vaguely defining what those capabilities are will almost certainly lead to further interpretations. And vague definitions and interpretation aren't what you want during an incident when every second counts.
...for the Federal Government?
Endpoint Detection and Response
The bulk of the Order concerns the federal government, specifically the FCEB agencies. The Order lays out some substantial demands on these agencies in a number of areas. Two of the most substantial, however, can be found in Section 7's "Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks." The order mandates that FCEB agencies deploy an "Endpoint Detection and Response (EDR) initiative." While there are a lot of timelines around this initiative, there is a breathtaking lack of detail. For instance, no where in the Order does it state what types of systems should be covered. Endpoints? Servers? Mobile? IoT? And what percentage of each?
More concerning is that the Order also seems to suggest that every agency need only deploy an "EDR initiative." While the practical outcome of this remains to be seen, every agency deploying their own unique EDR solution will result in a hodgepodge of different solutions, with different capabilities, and ultimately powered by different threat detection content. That isn't going to just improve detection, it’s going to be a nightmare to keep threat detection parity on.
While some may dismiss this with handwaving about "that type of detail isn't what is included in an Executive Order," I would challenge that that is precisely the level of detail required for this type of an order. Especially given the poor track record these types of large scale initiatives have had in the past.
A Threat Hunting Agency
Another substantial demand is what the government intends to do with those disparate EDR initiatives. The order makes it very clear that these initiatives are to provide
" ...proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response... "
It also makes it clear that they will be carried out through the Cybersecurity & Infrastructure Security Agency (CISA). This is an agency that even today still describes itself first and foremost as a "risk advisor," not a security provider. That distinction was borne out during the SolarWinds attack when CISA admitted its cyber defense platform that currently protects FCEB agencies today, EINSTEIN, was unable to prevent nor detect the intrusion until it was fed threat information from private sector sources. It is also an agency that was recently described as "underfunded, outmatched, and 'exhausted'."
Let's be clear, this isn't to diminish the work of CISA, nor to say that they can't accept new mandates. But moving from a risk advisory role to a proactive hunting role is one that cannot be done overnight with the stroke of a pen across an Executive Order.
This leads us into probably the most important elements of the deep dive into the Executive Order, that of how...
How Will This Happen?
The most critical component to understanding any legislation is understanding how it will happen. This is because successful legislation only starts with the order. It is how that order is interpreted, planned, carried out by the staffers and bureaucrats that ultimately determines the success of the legal effort. This is where the Executive Order begins to show some significant cracks.
It is important to understand that Executive Orders can't command the purse strings of the nation. In fact the US Constitution exclusively grants the right to spend taxpayer dollars to Congress. This means that while an Executive Order can bind an agency to a course of action, it cannot fund that action. This means that all of these initiatives are, as of now, unfunded and it isn't clear how that will change in the coming weeks.
However, it isn't merely a monetary issue that hampers this Executive Order. Rather it is a more fundamental challenge of people and processes. Threat hunting is still considered an advanced capability. One that demands highly skilled threat hunters, and for hunting across 102 government agencies, quite a lot of them. However, research has shown that for 72% of organizations the primary barrier to entry for threat hunting is a lack of skilled staff. No amount of executive action can "create" threat hunters over night. It takes years, and there simply aren't enough to go around.
The problems don't stop at a lack of people though. Threat hunting is a very process intensive discipline. Processes that must be hard fought and won over years of experience in the specific environments. In fact, 45% of organizations list a lack of processes as a major barrier to entry for threat hunting. Some of the data and processes can certainly be transitory, but the majority of processes in threat hunting demand experience that, frankly, right now we don't have.
There is also the question of accountability. The Order, as it stands, shoulders a lot of responsibility on a very select few. What it doesn't do, though, is make anyone ultimately accountable for failures. This type of "responsibility not accountability" leadership will only result in further maintenance of the status quo.
So What is the Answer?
Let's be very clear: the Executive Order signed on 12 May 2021 is a step in the right direction. It acknowledges that traditional reactive security isn't sufficient, and that joint INTERPOL operations and DoJ indictments aren't dissuading actors from attacking the United States, its critical infrastructure, and everyday Americans. However, the belief that an Executive Order, without financial support, or the critical mass of people, processes, and accountability to accomplish the mission can solve, or even dramatically alter, the status quo is naïve.
The solution, then, is to put cyber security front and center. With a unified Executive, Congress, and Senate, put forward proper legislation that is informed by the best threat hunters in the country and from across the industry. Ensure that it covers minimum requirements, in detail, that all federal, state, and local government agencies must adhere to. Lay the groundwork required for a national cyber security guideline for critical infrastructure that lays out more than bare minimums. And make people accountable for failures.
Beyond that, we need to focus on staffing and funding a single agency at the federal government to carry out this mandate. It cannot be an afterthought or snap decision.
Most importantly, we have to stop approaching systemic problems to do with cyber security from a "technology centric" approach. Problems in cyber security can't be fixed with a new tool.
They are problems that must be addressed with people and processes. Rolling our EDR across the entire civilian federal government will not somehow magically "protect" them, or us, from attack. That technology has to be fed and maintained by the latest threat content, and that content needs to be developed by hunters and security researchers.
This isn't a problem with a simple solution, but we can’t keep kicking the can down the road, because we are running out of road.