Published on May 13th, 2021 📆 | 2776 Views ⚑
0Industry collaboration will make or break cybersecurity executive order
Dave Nyczepir
Government must improve the way it works with industry if it wants to implement Wednesdayâs cybersecurity executive order on schedule, technology experts told FedScoop.
The executive order comes after the recent Colonial Pipeline, Microsoft Exchange and SolarWinds hacks, which found the government ill-equipped to mitigate cyberattacks by nation-states or mere hackers with the right tools and know-how.
Agenciesâ known struggles identifying innovative tech companies that offer the cloud services they need to implement zero-trust security will likely slow compliance, Terry Rydz, tech engagement manager at Dcode, told FedScoop.
âSomething that has hindered and something that government should really be paying attention to is its ability to tap into Americaâs innovation base,â Rydz said. âTo work with tech companies that honestly have the tech to address a lot of these issues, and have been doing it in the commercial sector for a while, but have trouble breaking into and working with the federal government.â
Dcode vets tech companies for their applicability to federal missions and cyber protections and trains them to work with agencies.
The executive order sets numerous deadlines for updating Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement contract requirements to increase the detail and speed at which companies share cyber threat and incident information with agencies.
âThe tech companies that come through our program and some of those traditional contractors, it kind of forces them to be more exploratory internally about the security and inherent risks tied to their own IT systems and how that impacts the security of their government clients,â said Lauren Strayhorn, tech engagement manager at Dcode.
Whether the threat of losing government contracts will cause companies to improve cyber protections, when market incentives did not, remains to be seen.
But public-private communication stands to improve because of the order, said Robert Cattanach, partner at Dorsey & Whitney, in a statement.
âBy mandating prompt disclosure of cyber events by federal contractors, establishing a lessons-learned process and more rigorously vetting the reliability of newly defined âcritical softwareâ through the lens of a âzero-trust architecture,â the process-heavy order will focus both attention and resources on a hugely vulnerable component of the day-to-day functioning of both the public and private sectors,â Cattanach said.
Federal contractors didnât immediately balk at the orderâs âaggressiveâ timeline by their estimation.
The government expects contractors to share proprietary intelligence many sell âat a premiumâ and prove their code is secure prior to releases or lose its business, said Charles Herring, chief technology officer at WitFoo, a security information and event management company.
âFor years source code integrity has gone largely unaudited, which is going to leave many software providers scrambling to update secure development operations procedures, acquire tools for testing code, retrain developers to use secure coding approaches and re-write thousands of lines of code to become compliant,â Herring said. âIt is a potentially devastating blow to providers that have neglected these hygiene steps.â
But itâs also foundational to the new security paradigm the government is working toward.
Breaches can happen quickly and reporting them can be embarrassing and scary for tech companies and agencies alike, yet itâs integral to maintaining national security, said Lindsay Atherton, tech engagement manager at Dcode.
âMaking the federal agencies think deeply about not only what the requirements are from a reporting perspective from cloud service providers, but the parameters around them, is going to be essential in creating an environment of trust,â Atherton said.
Previous federal cloud strategies promoting agenciesâ migration to the cloud didnât particularly emphasize securing those services.
This executive order changes that.
âWe had Cloud First, and then Cloud Smart. The Executive Order on Improving the Nationâs Cybersecurity moves us into the era of Cloud Secure,â said Stephen Kovac, vice president of global government and head of corporate compliance at tech company Zscaler. âWe are encouraged to see the focus on developing cloud security strategies, technical reference architectures and cloud governance security frameworks.â
The existing Federal Risk and Authorization Management Program and Trusted Internet Connections 3.0 security frameworks should form the cornerstones of âCloud Secureâ as agencies modernize their security, Kovac added.
Tech experts also praised the orderâs emphasis on increasing collaboration between government and industry.
âWe appreciate the focus on public-private collaboration in this executive order and its meaningful steps to modernize and streamline federal information systems, networks, and supply chains,â said Jason Oxman, president and CEO of the Information Technology Industry Council in a statement. âWe look forward to working with the Biden-Harris administration to ensure that federal agencies and contractors have the proper resources and support to ensure that U.S. cybersecurity objectives are advanced while minimizing any potential impact on privacy, civil liberties and U.S. competitiveness.â
Agencies are getting on board, too.
The Department of Homeland Security will take âimmediate stepsâ to implement the order, said Secretary Alejandro Mayorkas.
âTodayâs executive order will empower DHS and our interagency partners to modernize federal cybersecurity; expand information-sharing; and dramatically improve our ability to prevent, detect, assess and remediate cyber incidents,â Mayorkas said in a statement.
New legislation building upon the executive order should be expected in the coming months.
Sen. Mark Warner, D-Va., chairs the Select Committee on Intelligence, which has been instrumental in moving critical cyber legislation to date.
âThis executive order is a good first step, but executive orders can only go so far,â Warner said in a statement. âCongress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.â
Gloss