The Urgent Need for Cybersecurity Reform

Reading Time: 3 minutes

U.S. president Joe Biden signed Executive Order 14028 (“Improving the Nation’s Cybersecurity”) on May 12, 2021, greatly improving the cybersecurity stance of the federal government as well as that of agencies that manage the critical infrastructure in the U.S. While other recent security perspectives focus on privacy protections for individuals, this Order focuses on national security, economic security, public health, and safety.

Although Executive Order 14028 only directly regulates the U.S. federal government, it impacts everyone who works with U.S. agencies and sets forth guidelines of benefit to organizations around the globe. The guidelines help to fortify cybersecurity across public and private sectors, offering standards to protect against threats to critical infrastructure, which are appropriate for all regions of the world. By being in the know, organizations can keep up-to-date about new reforms and their impact.

Behind the Order

This executive order was put into effect as a response to the SolarWinds cyberattack that happened towards the end of 2020, deemed one of the most significant cyber espionage incidents that took place in recent years. The attack exploited key vulnerabilities seen in popular software, thus gaining access to federal systems. Another incident followed suit in May 2021 called the Colonial Pipeline ransomware attack, which unleashed another set of cyberattacks on key infrastructure in the United States. This attack led to the disruption of one of the largest fuel pipelines operations in the U.S. The consequences included, but were not limited to, fuel shortages, price hikes and widespread concern over the susceptibility of crucial infrastructure to cyber breaches.These events highlighted the criticality in the need for improved cybersecurity across the government and private sector.

The Goals of the Order

Executive Order 14028 was designed to:

• Strengthen the cybersecurity defenses of the federal government and critical infrastructure:

Executive Order 14028 sets the framework to mandate federal agencies to  work towards modernizing their cybersecurity capabilities. Each specific implementation needs to be defined by each individual organization, but the approach is to shift to a Zero Trust Architecture (ZTA), a security model that assumes that threats can exist both outside and inside the network and makes sure to continuously verify user trust. Federal agencies are required to emphasize the securing of IT systems by using the latest software, hardware, and cybersecurity tools, and to incorporate encryption and multi-factor authentication (MFA) to protect system access.

• Improve the speed and coordination of cyber incident responses.

Executive Order 14028 calls for the creation of a government-wide playbook that accommodates responses to cybersecurity events. This playbook must include a course of action to help coordinate responses to cyberattacks, establishing that agencies put up a swift, united front, in a regulated manner, when responding to breaches.

• Enhance the security of the software supply chain.

Executive Order 14028 focuses on software supply chains, requiring software vendors, providers, and consultants to ensure that their security practices meet strict criteria. Adhering to new standards for software is mandated for federal bodies. This requires that vendors that want to do business with the federal government make provisions for transparency in the details of internal security practice compliance and undergo independent security reviews.

• Develop a skilled cybersecurity workforce.

Executive Order 14028 highlights the necessity of maintaining an efficient workforce on the side of federal cybersecurity organizations. To comply, it is important to focus on implementing training programs and certifications for cybersecurity professionals, to help them keep up-to-date on the necessary tools, to more effectively counter ever-evolving cybersecurity threats. Such programs would also support attracting and retaining personnel, while also assisting training for both public and private domains. The focus should be on increasing awareness and workforce development as well as collaborating with educational institutions to enhance their capabilities with expanded cybersecurity talent.

• Encourage public-private collaboration on cybersecurity.

Executive Order 14028 deems it critical that information exchange takes place between the government and private sectors with regards to identifying cybersecurity threats, possible vulnerabilities, confirmed breaches, and other incidents. For this reason, the Order calls for the evolution of existing voluntary, decentralized actions to a mandated, coordinated effort across both the public and private sectors. With a more unified national and global strategy with which to defend against cybersecurity threats, one with a particular focus on critical infrastructure and the software supply chain, all organizations can better forecast and detect threats with a unified front to rapidly respond to each of them.

• Lead global efforts to establish stronger cybersecurity standards and norms.

Executive Order 14028 implies that the U.S. should take a leadership stance on global cybersecurity governance. The Order aims at achieving international collaboration in the development of cybersecurity standards and norms, which would help combat cybercrime on a global level.

Overall, the Order works toward a holistic approach for the betterment of the country’s cybersecurity, in an age of looming cyber threats. With the above goals in place, the U.S. aims to reinforce its position in defence against current and future cybersecurity risks and threats, to protect critical systems, and preserve national security.

Logical Data Management: A Way Forward

In the next post in this series, we will take a deeper dive into Zero Trust Architecture, cloud security, and multi-factor authentication – core elements in redesigning of cyber defense for federal agencies, and explain how the Denodo Platform, a logical data management solution, supports these elements.