Government must improve the way it works with industry if it wants to implement Wednesday’s cybersecurity executive order on schedule, technology experts told FedScoop.
The executive order comes after the recent Colonial Pipeline, Microsoft Exchange and SolarWinds hacks, which found the government ill-equipped to mitigate cyberattacks by nation-states or mere hackers with the right tools and know-how.
Agencies’ known struggles identifying innovative tech companies that offer the cloud services they need to implement zero-trust security will likely slow compliance, Terry Rydz, tech engagement manager at Dcode, told FedScoop.
“Something that has hindered and something that government should really be paying attention to is its ability to tap into America’s innovation base,” Rydz said. “To work with tech companies that honestly have the tech to address a lot of these issues, and have been doing it in the commercial sector for a while, but have trouble breaking into and working with the federal government.”
Dcode vets tech companies for their applicability to federal missions and cyber protections and trains them to work with agencies.
The executive order sets numerous deadlines for updating Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement contract requirements to increase the detail and speed at which companies share cyber threat and incident information with agencies.
“The tech companies that come through our program and some of those traditional contractors, it kind of forces them to be more exploratory internally about the security and inherent risks tied to their own IT systems and how that impacts the security of their government clients,” said Lauren Strayhorn, tech engagement manager at Dcode.
Whether the threat of losing government contracts will cause companies to improve cyber protections, when market incentives did not, remains to be seen.
But public-private communication stands to improve because of the order, said Robert Cattanach, partner at Dorsey & Whitney, in a statement.
“By mandating prompt disclosure of cyber events by federal contractors, establishing a lessons-learned process and more rigorously vetting the reliability of newly defined ‘critical software’ through the lens of a ‘zero-trust architecture,’ the process-heavy order will focus both attention and resources on a hugely vulnerable component of the day-to-day functioning of both the public and private sectors,” Cattanach said.
Federal contractors didn’t immediately balk at the order’s “aggressive” timeline by their estimation.
The government expects contractors to share proprietary intelligence many sell “at a premium” and prove their code is secure prior to releases or lose its business, said Charles Herring, chief technology officer at WitFoo, a security information and event management company.
“For years source code integrity has gone largely unaudited, which is going to leave many software providers scrambling to update secure development operations procedures, acquire tools for testing code, retrain developers to use secure coding approaches and re-write thousands of lines of code to become compliant,” Herring said. “It is a potentially devastating blow to providers that have neglected these hygiene steps.”
But it’s also foundational to the new security paradigm the government is working toward.
Breaches can happen quickly and reporting them can be embarrassing and scary for tech companies and agencies alike, yet it’s integral to maintaining national security, said Lindsay Atherton, tech engagement manager at Dcode.
“Making the federal agencies think deeply about not only what the requirements are from a reporting perspective from cloud service providers, but the parameters around them, is going to be essential in creating an environment of trust,” Atherton said.
Previous federal cloud strategies promoting agencies’ migration to the cloud didn’t particularly emphasize securing those services.
This executive order changes that.
“We had Cloud First, and then Cloud Smart. The Executive Order on Improving the Nation’s Cybersecurity moves us into the era of Cloud Secure,” said Stephen Kovac, vice president of global government and head of corporate compliance at tech company Zscaler. “We are encouraged to see the focus on developing cloud security strategies, technical reference architectures and cloud governance security frameworks.”
The existing Federal Risk and Authorization Management Program and Trusted Internet Connections 3.0 security frameworks should form the cornerstones of “Cloud Secure” as agencies modernize their security, Kovac added.
Tech experts also praised the order’s emphasis on increasing collaboration between government and industry.
“We appreciate the focus on public-private collaboration in this executive order and its meaningful steps to modernize and streamline federal information systems, networks, and supply chains,” said Jason Oxman, president and CEO of the Information Technology Industry Council in a statement. “We look forward to working with the Biden-Harris administration to ensure that federal agencies and contractors have the proper resources and support to ensure that U.S. cybersecurity objectives are advanced while minimizing any potential impact on privacy, civil liberties and U.S. competitiveness.”
Agencies are getting on board, too.
The Department of Homeland Security will take “immediate steps” to implement the order, said Secretary Alejandro Mayorkas.
“Today’s executive order will empower DHS and our interagency partners to modernize federal cybersecurity; expand information-sharing; and dramatically improve our ability to prevent, detect, assess and remediate cyber incidents,” Mayorkas said in a statement.
New legislation building upon the executive order should be expected in the coming months.
Sen. Mark Warner, D-Va., chairs the Select Committee on Intelligence, which has been instrumental in moving critical cyber legislation to date.
“This executive order is a good first step, but executive orders can only go so far,” Warner said in a statement. “Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.”