President Biden’s Cybersecurity Executive Order: The Impact On Scranton and Wilkes-Barre Business
On May 12, President Biden issued an Executive Order (EO) that requires the networks of Federal Departments and Agencies to have improved safeguards against cyberattacks. This Executive Order seeks to improve the state of national cybersecurity in the country and to increase the overall protection of government networks following the recent Colonial Pipeline hack.
While the order arrived while Colonial Pipeline was still recovering from the ransomware attack, once the details of the executive order are understood, the order appears to be more of a response to the SolarWinds attack that occurred in 2020. The attack on SolarWinds was allegedly connected to Russia’s Foreign Intelligence Service (SVR).
We are aware that some of the most well-known names in Corporate America were victims of the attack, from tech companies to universities. Numerous departments of the U.S. federal government were also victims of the ransomware attack, including the Department of Defense, the Department of Homeland Security, and the National Institutes of Health.
The Colonial Pipeline, the SolarWinds attack, and numerous other ransomware hacks and attempts all added a new sense of urgency to the current executive order. While the majority of the Cybersecurity Executive Order focuses on government agencies, the entire Cybersecurity EO will have a deep and lasting impact on how government agencies and the private sector approach cybersecurity moving forward.
Corporate compliance and risk management professionals should gain a full understanding of this order — because, in due time, the impact of the directives of this order will be felt in significant ways.
What Will The Executive Order Do?
While the executive order is 34 pages long, three main points should be noted:
The Cybersecurity EO identifies various barriers limiting how much information can be shared between Information Technology (IT) and Operational Technology (OT) providers and the Federal Government. The EO provides guidance on how those barriers can be removed and how more incident information can be shared with relevant parties.
The Cybersecurity EO examines standard contract sections designed to require contractors to do the following (and more):
- Collect cyber threat data
- Share the collected cyber threat data with relevant agencies
- Collaborate with cybersecurity and/or investigative agencies
Another key point in the executive order relates to stronger cybersecurity practices within the federal government. The Cybersecurity EO requires federal agencies to prioritize the adoption of cloud technology and cybersecurity best practices. The Cybersecurity EO requires the use of multi-factor authentication and Zero Trust Architecture to limit user access when needed.
The CISA (Cybersecurity and Infrastructure Security Agency) is responsible for issuing guidance related to cloud security and incident response, in addition to other guidance. Within 60 days of the EO, federal agencies will be responsible for reporting to the CISA and other organizations regarding the implementation of Zero Trust Architecture, multi-factor authentication, and data encryption has been fully adopted.
Software Supply Chain
The Cybersecurity Executive Order outlines the need for stronger oversight of the software supply chain. The Executive Order will require tighter controls and standards for software developed for the government or licenses to the government. The EO includes steps that outline better practices for engineers who are responsible for designing software code.
Contractors will be required to provide agencies with a Software Bill of Materials for all software products; this can be achieved by providing the SBOM directly or by placing it on the public website.
The Cybersecurity EO will also do the following:
- Establish a Cybersecurity Safety Review Board
- Create a Standard Playbook for Responding to Cyber Incidents
- Improve Detection of Cybersecurity Incidents on Federal Government Networks
- Improve Investigative and Remediation Capabilities
As a result of the Cybersecurity EO, we anticipate that more businesses in Scranton and Wilkes-Barre will have a greater sense of the new cybersecurity requirements by the end of 2021.
How Will The Cybersecurity EO Impact Your Business?
While the directives outlined in the Cybersecurity EO are still in the initial phases, it is not too early for your business to begin preparing. Every business should anticipate being a target of a cyber attack, implement an improved form of defense, and apply various controls based on behaviors that accompany cyber attacks.
Your business should review the policies to determine whether they align with your procedures and protocols. If the policies do not align with your protocols, revisions will need to be made. The Executive Order will shift regulatory expectations and public expectations in favor of more transparency. The head of each agency will be responsible for preparing and developing a plan that will dictate how the requirements will be met.
Have a Plan in Case of Threats
Ensure Your Staff is Prepared
You will never know when a cyber attack will strike. It Is important to develop and practice a plan so your employees will be able to respond when trouble occurs. The Cybersecurity EO creates an effective playbook for cyber incident responses. Just like you cannot wait for an actual natural disaster to occur to figure out how you will prepare or escape, your business can not wait until an actual cyber attack to figure out how you will respond.
Your staff serves as extra sets of eyes and ears and will make it possible to maximize safety for the benefit of your business. You can prescribe standards for cybersecurity protocols by establishing training programs. Training programs can be implemented to ensure your staff is prepared to manage security-related requests.
Perform a Fresh Assessment
Businesses across Scranton and Wilkes-Barre should prepare to perform new assessments of compliance risks under the new requirements. If your business is responsible for collecting data about cybersecurity attacks and share that information with federal agencies, there may be new privacy risks that will need to be taken into consideration.
Implement the Findings
After performing the fresh assessment of your compliance risks, you will need to consider the new procedures and policies your business may need to implement. The Cybersecurity EO will likely change what your business is responsible for, including the following:
- What needs to be reported to the government
- How software will be developed
- The authentications that need to be provided by third parties
After your cybersecurity defense has been implemented, it will be important to make sure your cybersecurity defenses are tested regularly, and you will need to ensure everyone in your business has been tested on their cybersecurity readiness.
How Tech42 Can Help
At Tech42 LLC, cybersecurity has never been an afterthought. We always deliver the highest level of protection for your business when needed. We are on a mission to promote online safety by remaining committed to helping businesses across Scranton and Wilkes-Barre defend themselves against malicious threats.