Sometimes, it takes a significant event — a “forcing function” — to catalyze significant change. It can even take more than one. A series of cyber attacks with real-world implications and far-reaching impact recently culminated into a moment of action. On May 12, the Biden administration issued a highly anticipated executive order aimed specifically at strengthening the country’s cybersecurity defenses — with strong emphasis on Zero Trust.
According to a White House statement, “This executive order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”
The order also calls for stronger cybersecurity standards for technology partners that provide software and services to the federal government — building on earlier efforts such as the Cybersecurity Maturity Model Certification (CMMC) introduced by the Department of Defense in 2020.
While the executive order focuses primarily on federal agencies and their partners, government officials and cybersecurity pundits alike believe it could drive sweeping change across the private sector — both nationally and abroad.
Kevin Corbett, Director of U.S. Federal Business at CyberArk, has been working in the federal cybersecurity space for more than 25 years. It’s a world he knows intimately, from civilian agencies to the Department of Defense to the intelligence community.
Asked for his impressions of the executive order and its intended implementation, Corbett says he sees it as more than just words on a paper. “We’ve witnessed a 10-year evolution as the government has shifted from a governance and compliance focus to a more proactive, risk-based approach to cybersecurity that drives far better, more sustainable outcomes,” he explains.
The push toward cybersecurity standardization began, Corbett says, in earnest well before SolarWinds, after the massive 2015 Office of Personal Management (OPM) breach. While the government has been making moves in the right direction, progress has not always kept pace with the speed of attacker innovation.
Adding Teeth to the Paper Tiger
Corbett applauds the executive order as a significant milestone for national security but knows there is still work to be done here. “Right now, it reads like a paper tiger,” Corbett says. To drive action and long-standing impact, guidance must become more prescriptive. That starts with standardizing definitions for abstract concepts and best practices and extends to the enforcement of punishment for non-compliance — something not currently laid out in the order.
It’s similar to a person trying to improve their health, he notes. A doctor simply saying “get healthier” doesn’t have the same impact as giving you specific steps to follow, such as switching from soda to water or walking 30 minutes every day. Once you’ve tackled these basics, you can then move on to more advanced exercise or diets — the point being that it’s easier to demonstrate progress and improvement once these specifics are laid out.
Clarity is key, Corbett says. For example, the executive order says that agencies must submit a new plan on moving to Zero Trust. But how exactly is Zero Trust being defined, and where, he asks, “… does the rubber meet the road?”
It may be impossible to establish one set of rules or one type of protocol.
“One of the harshest realities that we have in our industry is the pace of innovation, the pace of application development, the pace of new platforms being developed, new business processes — even new hardware platforms are able to outpace our ability to keep those things secure,” Corbett says.
Rather than attempt to plug holes or fortify defenses, it is more effective for all to adopt the “assume breach” mentality that fuels Zero Trust. This will keep agencies and organizations from trying to figure out where the next breach will happen (a futile effort that is doomed to always be a step behind) and instead just assume the bad actors are already inside. The key, then, is to make sure you have the processes in place to make it as difficult — and as costly — as possible for attackers to reach their goals.
In fact, this is part of what the CMMC aims to do. First introduced by the Department of Defense in January 2020, this standardized framework represents an important step in strengthening the nation’s cyber resilience. In a sense, it’s been laying the groundwork for much of what the executive order is aiming to accomplish — namely, modernizing the federal government’s cybersecurity, fortifying the security of software for purchase by the federal government and, perhaps most importantly, improving the communication and collaboration between the government and private sectors so that there is more of a team approach to cyber attack defense and response. “The CMMC is the DoD’s first effort into a more thoughtful and hands-on approach to supply chain security,” Corbett says.
Created in response to compromises and breaches stemming to vulnerabilities in third-party contractors’ IT systems, the CMMC applies to more than 300,000 companies in the DoD’s supply chain. Rather than having contractors self-report that their systems are compliant (a bit of “take our word for it”), the CMMC lays out a five-tier system that rates a company’s maturity and compliance. Each tier represents, essentially, how close the company comes to sensitive information.
A landscaping company that does work for government agencies, for example — even if there is a possibility it comes into contact with Personally Identifiable Information (PII) — would nonetheless be seen as a lower-tiered organization and would have far less stringent regulations (and expectations). A contractor building advanced weapons systems for the military, on the other hand, would require the highest levels.
Over the years, though, Corbett says he’s seen inconsistencies even within the government itself, which adds complications to its quest to regulate others through a comprehensive policy. He explains, “Agencies get grades, and we see As and Bs, but we also see Ds and Fs. And the reasons why can be numerous — from budget to a dearth of qualified cybersecurity professionals.”
Corbett suggests the government may need to reach out to cybersecurity experts across sectors to create a set of best practice guidelines and standard definitions — organizations that, say, have been pushing for Zero Trust maturity for some time now. It will take a lot of collaboration, guidance and a host of perspectives and backgrounds to keep it moving forward, a phrase used frequently by him and his colleagues, Corbett says. “There is no silver bullet relative to cybersecurity. It’s a team sport.”
When all’s said and done, the CMMC is positioned to be another useful tool rather than a be-all, end-all solution, Corbett says. It’s not perfect; it’s a bit of a work in progress, but it’s a push in the right direction toward more comprehensive guidelines and, ultimately, a better understanding of how to tackle cybersecurity seriously, consistently and permanently.