In one of his last acts as US President, Joe Biden signed a sweeping executive order aimed at strengthening the US’s cybersecurity. It follows up on a previous one issued in Biden’s first year in office.
Among other things, the new executive order imposes new security standards for companies that do business with the US Government and will also require software companies to demonstrate the security of their development processes.
“The goal is to make it costlier and harder for China, Russia, Iran and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our businesses and our citizens,” said outgoing Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger during a media conference.
“It’s great to see such a detailed executive order relating to cybersecurity,” said Panaseer CEO Jonathan Gill. “This reflects the importance of cybersecurity at the highest levels. It is an issue of national security and should be treated as such. One of the big themes coming out of the order is the need to implement the right controls and being able to provide evidence.”
“Section two really underscores the need for secure software development,” he added. “If it is followed through, software publishers will need to open their kimonos to show they have the right controls in place and that these are working effectively. It is also interesting to see in section seven that NIST will be issuing guidance on ‘minimum cybersecurity practices,’ considering common cybersecurity practices and security controls.”
“Moving forward, we can expect to see even greater emphasis not just on encouraging companies to implement controls, but on providing evidence of such,” said Gill. “However, many companies will struggle here. IT infrastructures and ecosystems have become incredibly complex. Most large organisations do not even have visibility of what assets they have, let alone the status of their security controls across those assets. This isn’t due to a lack of effort or care from cybersecurity professionals. The challenge lies in the fact that most large organisations rely on 50 plus cybersecurity tools to protect their fast-moving IT environments.”
“These tools operate in silos, disconnected from one another and informed by incomplete configuration management databases. As we move into an era of trust, but verify, organisations will be under increasing pressure not only to outline what controls they have, but to demonstrate their effectiveness,” he said.
“Most large organisations already possess the data they need to understand their assets, control coverage, and control effectiveness, but it’s scattered and inaccessible. This data must be transformed into actionable, trusted intel, enabling security leaders to identify gaps, enforce accountability, and ensure stakeholders meet agreed-upon standards of controls.”
It remains unclear if President-elect Donald Trump’s new administration will uphold the executive order. Neuberger said the outgoing White House cybersecurity officials have not met with Trump’s incoming cyber staffers.
