Keeping in view, cybersecurity threats received by India’s public and private establishments, the government should tweak its policy and update it so that it can learn from the US Executive Order and make it foolproof. Focus should be also on information sharing and learning from best practices from a country perspective.
With recent cybersecurity incidents in the US such as SolarWinds, Microsoft Exchange and Colonial Pipeline, President Biden has signed an Executive Order (EO) to improve the nation’s cybersecurity and protect federal government networks.
Presently, both public and private sector entities are increasingly facing sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.
The Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. It is the first of many ambitious steps the administration is taking to modernize national cyber defenses.
However, the Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of its domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. And in this case, private sector companies are encouraged to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.
The Executive Order focuses on seven pillars – Remove barriers to threat information sharing between government and private sector; Modernize and implement stronger cybersecurity standards in the federal government; Improve software supply chain security; Establish a Cybersecurity Safety Review Board; Create a Standard Playbook for responding to cyber incidents; Improve detection of cybersecurity incidents on federal government networks; and improve investigative and remediation capabilities.
The Executive Order ensures that IT service providers are able to share information with the government and requires them to share certain breach information. Removing any contractual barriers and requiring providers to share breach information that could impact government networks is necessary to enable more effective defenses of Federal departments, and to improve the nation’s cybersecurity as a whole.
The EO helps move the federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multi-factor authentication and encryption within a specific time period. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.
The EO will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
Finally, it creates a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely.
The EO establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.
The EO creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. The playbook will ensure all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
The EO improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the federal government. The federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential.
The EO creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem.
The Indian government needs to also increase its investment on cyber security so that both the central and state system is updated with the latest tools and techniques to fight the menace of cyber attacks.
All the above pillars are very useful not only for the US but also from India perspective as it focuses on gearing to the cyber security challenge both at the central as well as state level in a coordinated way. Learning from mistakes and documenting the whole episode definitely helps all stakeholders so that remedial measures can be taken at the earliest before and after the incident so that the damage from cyber attacks can be minimized.