Brent Hansen | Federal CTO
President Joe Biden signed an Executive Order on May 12, 2021, which paves the way to implementing new policies aimed to improve national cybersecurity posture. The Executive Order is signed in the wake of several recent cybersecurity catastrophes, such as the ransomware attack targeting the Colonial Pipeline, the Microsoft Exchange server vulnerabilities that affected more than 60,000 organizations, and the SolarWinds hack that compromised nine federal agencies.
The Order, which has a broad concept, aims to strengthen cybersecurity for federal networks and outline new security standards for commercial software used by both businesses and the public. “Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cybercriminals," the White House fact sheet says.
Multifactor Authentication and Data Encryption
The Executive Order (EO) makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.
One of the most striking requirements is the implementation of multifactor authentication and data encryption for all Federal governments. “Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws,” requires the EO.
The implementation of such security controls will help to move the Federal government “to secure cloud services and zero-trust architecture.” According to the EO fact sheet, “The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”
A holistic approach to Federal cybersecurity
In addition to the MFA and data encryption requirement, the EO puts forward the following initiatives:
• Remove barriers to information sharing between the US government and the private sector “to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.”
• Improve software supply chain security “by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.”
• Establish a Cybersecurity Safety Review Board, modeled after the National Transportation Safety Board, enacted after airplane crashes and other serious incidents. The Cybersecurity Board will convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
• Create a standard playbook for cyber incident response to harmonize the Federal agencies preparedness to identify and respond to cyber threats.
• Improve detection of cybersecurity incidents through the adoption of a federal-wide EDR system.
• Improve remediation following cybersecurity incidents through robust and consistent logging practices.
As the US cybersecurity posture relies on both the Federal agencies and the private sector, as the recent attack on Colonial Pipeline demonstrated, the EO encourages private sector companies “to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
Data discovery and key management are essential
Going deeper into the details of robust data encryption, federal agencies and private companies will have to practice two essential controls: data discovery and key management.
You cannot encrypt and protect all your data at rest unless you know where they reside – in the cloud, on-premises, databases, structured and unstructured data. Data discovery allows you to identify all your data, classify them and prioritize which data to encrypt and how. Most business-critical and sensitive data should be encrypted with high priority affording the strongest encryption algorithms and keys. Thales Data Discovery and Classification provides you with a single pane of glass that allows you to get a clear understanding of what sensitive data you have, where it’s located, and its risks of exposure. Thales Data Discovery and Classification integrates with CipherTrust Transparent Encryption to allow your organization from a single pane of glass to set policies, discover data that adheres or violates those policies, classify data, rank risks and apply remediation.
At the same time, for encryption of data at rest and in transit to be effective and robust, it is important to establish a centralized key management. Just as encryption should be centralized, so should the key management. An effective key management is what makes encryption strong. If the keys are not properly managed and secured, they can be stolen, and the encryption will be broken. Federal agencies and private companies should opt for storing the encryption keys in a Hardware Security Module (HSM), like the Thales Luna series, accredited in accordance with FIPS 140-2.
Effective cybersecurity is all about the keys. When it comes to cybersecurity, identities and data are the new perimeter, so as the EO asks what “bold changes and significant investments” will you make?