Biden's cyber EO moves past the 'castle and moat' strategy

With some deadlines already having arrived and others looming, the May 2021 “Executive Order on Improving the Nation’s Cybersecurity” has IT professionals taking a hard look at security measures ranging from Zero Trust to multi-factor authentication. For many agencies, however, the EO is not a call to action. Instead it offers support at the highest levels for agencies to continue creating the systems that will protect the federal infrastructure and its data – work that these agencies have been doing all along.

It also underscores a change in the federal sector from a “castle and moat” approach to cybersecurity to one in which cybersecurity is intended to work across agencies.

Last month, I was fortunate to take part in a panel discussion with security experts in some of the largest federal agencies. Questions shared with the panelists showed that issues like Zero Trust architecture and multi-factor authentication are nothing new for these experts.

When asked his opinion of whether agencies were able to adopt the Zero Trust architectures within the 60 day window provided by the EO, Paul Cunningham, the Veterans Administration Chief Information Security Officer, gave his colleagues the benefit of the doubt.

“I'm confident that all of the agencies have responded back in a timely manner,” Cunningham said. The EO, he noted, provides a “joining factor” across all federal agencies. The truth about agency performance in the Zero Trust aspect of the order will come out as agencies find ways to “share (information) collectively to improve our networks.”

For Steve Hernandez, chief information security officer at the U.S. Department of Education, the order has served to formalize work already being done across agencies, especially in areas such as multi-factor authentication.

“There has always been a considerable amount of conversation and push to make sure we're getting through and crossing the finish line with multi-factor,” Hernandez said. Noting that his agency reports on multi-factor authentication “every year,” Hernandez said the EO provides some additional incentive for agencies to continue down the road they’ve already taken.

“If you need that extra push to get over the finish line,” Hernandez said, that’s where the EO comes in.

He added, however, that the order’s emphasis on “low-impact systems” offers benefits that were not necessary considered when multi-factor authentication was focused on systems with “high asset value.” Having such protections on low-impact systems as well, offers “a better user experience, and adds more protection than the single sign-on methods typically employed in such systems, Hernandez said.

Asked about the importance of Zero Trust architecture, Hernandez acknowledged that there is in some cases a “disconnect between account provisioning, account maintenance, and account termination” and who has access to systems. “We need to pull back some of the rights,” he said. “With Zero Trust, we're going to see attribute security come into play,” with some roles being taken away and others added.

Improving authentication for “Internet of Things” devices is also increasingly important for federal networks, said Garo Nalbandian, acting CISO for the U.S. Nuclear Regulatory Commission. The “convergence” of personal and business devices that came about during the pandemic has increased cyber attack footprints. His agency has begun to “utilize micro zones to isolate IoT devices from the rest of the network” to address this new threat vector, Nalbandian said.

“We employ next generation firewalls,” he said, as well as “preventive measures to keep devices from getting access. I think collectively with our broader cyber training program, it helps us to protect us against malicious activity,” he explained.

The panel members in general agreed that the $1 billion allocated by Congress for the Technology Modernization Fund will be helpful in enabling federal agencies to meet the mandates of the EO. Cunningham noted that the funding puts to rest questions about how to continually implement solutions. Calling the move in Congress “absolutely brilliant,” he added that it “changes the way we discuss priorities.”

So how should that discussion move forward with agency leadership? I was asked to offer advice regarding cybersecurity protections for IT infrastructure and data security.

My main advice is to remember that security is a process, and it needs to be very purposeful. Agencies should not jump to a solution like the cloud because a vendor says it will solve a problem, unless that problem actually exists in the organization. There needs to be an analysis of areas of concern like Zero Day attacks and technologies such as Zero Trust access, and some implementations do need to be proactive.

Still, an analysis will provide an understanding of priorities. Which systems are critical to continuity? Which data systems are important, and where are they located? How do users access them? Until that type of analysis is done, it’s difficult to arrive at a solid solution.

Certainly, organizations need to start thinking proactively about Zero Day attacks, and acknowledge that a breach will happen. That means creating a plan on how to mitigate and recover from that type of attack, along with backup strategies and how to quickly reimage a system, should it be compromised.

Finally, security needs to be seen as an end-to-end issue. Organizations need to get away from security models that look only at choke points, where firewalls might block ingress and egress.

It’s time to throw out “moat and castle” security strategy, because the moat keeps changing. Security perimeters are getting fuzzy, with more people working from home, and data located not only on premise but in the cloud as well. It’s becoming nearly impossible to know where to put the moat – or even what the moat needs to be when defending the castle from attack.