- President Joseph Biden’s executive order emphasizes good cybersecurity hygiene for federal contractors.
- The executive order could increase the cost of becoming a federal contractor, pricing out small companies.
- Third-party and supply-chain risks are increasing across enterprises, healthcare facilities, agencies, and other organizations worldwide.
- This article is part of the “Cybersecurity Briefing” series focused on the country’s state of readiness, and what company IT leaders think are the top policy priorities.
Cybercrime means the future of international conflicts may be stealthier and quieter than battles of the past.
State-sponsored cyberattacks can take out critical infrastructure facilities and cause massive computer systems failures to information or operational technology networks. They can simply create financial chaos by deploying ransomware and encrypting data without anyone knowing about it until it is too late.
In the first seven months of 2021 alone, the Center for Strategic & International Studies, a Washington DC-based think tank, identified 87 state-sponsored attacks worldwide. That said, some major cyberattacks are not state-sponsored. The Colonial Pipeline attack is believed to be a criminal ransomware attack designed simply to extort money – $4.4 million – by the DarkSide hacking group in Eastern Europe rather than a politically motivated incident.
President Joseph Biden’s executive order on improving the nation’s cybersecurity addresses many of the key concerns federal agencies and corporate America face today. The order requires agencies to address vulnerabilities in software and networks, and guidelines to remediating those issues. Specifically, the address calls out enhancing supply chain security – a major issue that not only influences national and corporate security but can also affect the economy.
The Biden executive order expands information sharing currently banned or restricted by contracts to agencies including the Cybersecurity and Infrastructure Security Agency, FBI, parts of the intelligence community, as well as cloud service providers and other enterprises and agencies.
In contrast, President Barack Obama’s 2013 executive order on cybersecurity was much less comprehensive and focused mainly on critical infrastructure. Obama’s key takeaway was an order for the National Institute of Science and Technology to create a Cybersecurity Framework. Like Biden’s order, these security controls are voluntary.
That said, this action appears to only be the first warning for government contractors. “There was a lot of good intention put into the presidential executive order of May 12, 2021,” John Young, founder of Young Cyber Security and a former cybersecurity defense expert at IBM, said.
He cautions that this order could price smaller and potential new companies out of the government contractor market. “The added costs for new contractors to comply with the order could tip the balance to those that already have a compliance infrastructure,” he said. “Most government contracts are granted to the lowest bidder.”
The changing landscape of cyber threats makes it imperative for companies to understand their own cyber risks. One cannot fully understand the vulnerabilities without a complete audit of their data – what it is, where it exists, how it is protected, and the data’s value in relation to other corporate data.
A full assessment of all data assets is essential before a company can begin to build defenses against different risks, whether they be criminals out to sell your data, ransomware attackers, political or social actors bent on damaging or destroying data, state-sponsored attackers, or simply newbie attackers out to make a name for themselves.
As the Biden executive order indicates, third-party risk management is becoming much more of a threat. The most recent example of a major third-party breach was SolarWinds, where a trusted third party’s software was corrupted and ultimately attacked companies, healthcare facilities, and government agencies worldwide.
In order to ensure that enterprises, healthcare facilities, agencies, and other organizations are protected from a supply chain or a business partner, security teams should perform a baseline analysis of their network and all network traffic. Then, they should immediately begin remediating the most serious potential threats identified by that analysis. Neglecting to do so could be a violation of governance and compliance regulations.
Young recommends companies conduct regular compliance and device evaluations, along with internal auditing, to ensure that potential attackers are not entering networks through third parties and supply-chain partners. “Each server will have its own data collection in a repository, and when it’s examined, will reveal if they’re compliant; if not, a close investigation will also reveal when, where, why, and how deviations occurred,” he said.
“An audit will reveal if the cybersecurity team has followed company policy. For each data point a server could fail on – and there are hundreds of them – that’s an exposure hackers could exploit if they were able to penetrate the network.”