There is nothing like long lines at the gas pumps to get the attention of government. This is an initiative that is long overdue. There is a great deal to do. Cyber is the infrastructure that we use to operate all the others, particularly to include energy and finance, and it is all too fragile and porous for the reliance that we have upon it.
It is good to see that "zero trust" made the list. The concept goes back to the mainframe and many of us have been actively promoting it for the internet for years. It is important to use it both horizontally, that is system to system and service to service, and vertically, through the layers of the application.Zero Trust requires strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) both user to system and process to process. One cannot trust a process whose identity is not reliable. If strong authentication is not the single most effective and efficient measure at our disposal, it is certainly among the top three. It deserves its own mention.
Zero trust also implies resistance to lateral compromise within the enterprise. It should not be possible to compromise an entire enterprise simply by getting one user to click on a bait message in an e-mail or on a web-site. In addition to resistance to fraudulent credential replay, we need structured networks. I would like to see end-to-end application-layer encryption but, at least in the short run, I would settle for network segmentation and layering.
I am glad that it addresses software quality. However, the practice here is so shoddy and the contributors so many that simply saying we will address it through government purchasing power will not be enough. Nor can we rely on training alone. We need systems and development processes that make it much easier to do it right than to do it wrong.
I would like to have seen the order address accountability and transparency for privileged users. Edward Snowden should not have been able to run rampant through a network that one would have expected to be "secure." It is ironic that the place that we are most likely to see shared credentials is among privileged users. Wherever there are two or more privileged users per shift, we need privileged access policy and management systems.
We cannot continue to allow just any amateur to connect anything they like to the public networks. While it may require legislation, we must require that only mechanisms built by professionals to infrastructure standards (e.g., built for the ages, fails in an orderly and safe manner, resistant to easily anticipated misuse and abuse) can attach directly to the public networks. As we need structure networks within the enterprise, we need structure within the Internet.
We also need to have accountability for suppliers who distribute (malicious) code that they did not write. This too may require legislation but a class action suit against SolarWinds would be a start.
The Biden Executive Order is a start but only a start. There is much to do. Let us get on with it.
Posts
The only questionable statement in Biden's EO is the imperative accelerated move to the cloud. IMPO, this can lead to more risk if federal agencies perform a "lift and shift" rather than "refactor for cloud-native" applications. I think back to when HITECH mandated electronic medical records without prescribing data normalization or interconnectivity. What HITECH created was a healthcare ecosystem that has data converted to proprietary electronic formats and created an industry of companies providing interconnectivity between these disparate electronic records. Let's ensure we do not make this mistake again with this EO.
ReplyDelete