President Biden’s cybersecurity executive order (EO) directs major advancements in the protection and resilience of our federal missions against ever-worsening and highly sophisticated cyber threats—and it could mark a turning point. It marshals whole-of-government forces with a myriad of tasks designed to defend U.S. national and economic security. But achieving the EO’s possibilities will require an unwavering focus on the big picture. Now more than ever, agencies must double down on data-driven cybersecurity to safeguard information, infrastructure, and operational technology from emerging risks.
More than two years after the standup of the Cybersecurity and Infrastructure Security Agency (CISA), the EO makes clear the primacy of CISA in both national and federal cybersecurity. In addition, the EO focuses on protecting digital supply chains and holding contractors and service providers to higher security standards. It moves beyond deploying controls to focus on leveraging data to improve security. And it calls for proactive, preventive security operations with an emphasis on vulnerability management and persistent threat hunting.
Unstated in the EO is the budget that will be required to fulfill these mandates. And, going forward, the onus is still on Congress to ensure federal cybersecurity efforts are funded each year, just as executive leadership must drive cybersecurity investments in the private sector. But here are four ways agencies and businesses can put the EO into action by unleashing a data-driven arsenal of cyber defenses:
- Rethink security link by link: From the enterprise to the larger ecosystem of hardware, software, and service providers, organizations must know every strand of their supply chain to see their attack surface, apply an adversarial mindset, and prevent new threat vectors. That’s why agencies are conducting supply chain reviews based on a separate EO issued in February. Addressing supply chain risks also requires due-diligence checks against third-party vendors. And the cybersecurity EO calls for new related risk-management tools: It directs the National Institute of Standards and Technology to develop standards and guidelines for supply chain security.
- Weaponize distrust: There are no silver bullets in the cybersecurity marketplace. As the EO urges, organizations must move away from simply overlaying more security controls and countermeasures and build instead a more defensible and modern digital infrastructure based on principles of zero trust. We recommend implementing controls around seven pillars (user, device, network/environment, application and workload, data, visibility and analytics, and automation and orchestration). And civilian agencies and businesses should draw lessons and inspiration from the national security community.
- Use data to turn the tables on threats: To drive cyber defense improvements and make systems inhospitable for intruders, organizations must embrace preventative and proactive security with improved hygiene, vulnerability management, and persistent threat hunting. Agencies and businesses need to harness the power of their security data by combining automation, advanced analytics, and tradecraft to quickly uncover cyber anomalies and spot hidden threats in their networks. As the EO notes, civilian agencies must work in partnership with CISA to help implement the new threat-hunting authorities that Congress gave CISA in the National Defense Authorization Act for Fiscal Year 2021. And proactive hunting of cyber threats is just as vital in the private sector.
- Share your cybersecurity insights: The federal government and critical infrastructure industries must greatly elevate the timely sharing of actionable cyber threat and incident data, building on the past progress of sector-specific hubs. To that end, the EO calls for removing contractual barriers to information sharing and requiring contractors that provide IT and operational technology services to share cyber threat and incident data with federal authorities. Contractors must prepare accordingly. But more broadly, all organizations should develop innovative ways to cost-effectively store troves of security data for analysis and quickly pinpoint and share actionable insights on demand.
The EO assigns CISA leaders greater accountabilities to secure and defend the nation and the government but also deals them a stronger hand through greater authorities to meet these new obligations. It will help, for instance, implement and quickly operationalize CISA’s new threat-hunting authorities. And the EO is designed to catalyze cybersecurity improvements in the private sector, too, by using the government’s purchasing power to elevate security standards and performance. But more broadly, the imperative to put data-driven cybersecurity into action should now be a top priority for government and industry leaders. What hangs in the balance is nothing less than the future of U.S. national and economic security.