One of the most dangerous aspects of an intrusion into government networks is the time it takes to identify that attack. For instance, the Office of Personnel Management breach started in November 2013, but wasn’t publicly revealed until almost six months later – and it basically continued in one form or another, affecting both the agency and contractors, until mid-2015. The SolarWinds hack was in place for more than a year, and it was discovered not by the company but by a third party.
Sections 7 and 8 of President Joe Biden’s cybersecurity executive order tackle this big problem head-on, with policy directives regarding improved incident detection and mitigation capabilities.
“[This] is a continuation of a process that’s been going on for a very long time, the centralization of cybersecurity on the federal civilian side, while continuing to get fewer agencies in the business of cybersecurity,” said Michael Daniel, former special assistant to the president and cybersecurity coordinator, now the president and CEO of the Cyber Threat Alliance.
To improve detecting cybersecurity vulnerabilities and incidents, Section 7 requires agencies to deploy endpoint detection and response (EDR) tools, aimed at proactively detecting incidents within the federal infrastructure, actively cyber hunting, containment and remediation and incident response.
This does not mean agencies must build their own EDRs. The Department of Homeland Security — specifically the Cybersecurity and Infrastructure Security Agency — was given 30 days to provide the Office of Management and Budget director recommendations on options for implementing a centrally located EDR initiative. By having a single central location, the EDR will “support host-level visibility, attribution, and response” for civilian agencies’ information systems. Within 90 days after receiving the recommendations, OMB must issue requirements for civilian agencies to adopt the government-wide EDR approaches — including empowering CISA to engage in cyber hunts without prior authorization from an agency’s detection and response activities.
To bolster CISA’s hunting license, agencies were given 75 days to update or establish the Memorandum of Understanding with CISA for its continuous diagnostics and mitigation (CDM) program. This was done to ensure that all object level data is available and accessible to CISA.
The CISA director was given 90 days to report to the OMB director, and to the assistant to the president for National Security Affairs (APNSA) on how the agency would implement its threat-hunting authority. Moving forward, CISA will report on a quarterly basis regarding the actions it has taken.
On the defense and intelligence side of government, the director of the National Security Agency, who also serves as national manager for National Security Systems, was given 45 days to recommend to the secretary of Defense, the director of National Intelligence and the Committee on National Security Systems (CNSS), steps to improve detecting cyber incidents targeting National Security Systems.
Unlike the civilian side, recommendations concerning EDR approaches will be included with further recommendations on whether they should be operated by agencies or through a centralized service. The secretary of Defense, director of National Intelligence and the CNSS have a further 90 days to review the recommendations and establish policies to implement them.
To bring civilian and defense agencies together, the secretary of Defense, secretary of Homeland Security and the OMB director have 60 days to establish information-sharing procedures for any cyber incidents that occur in one realm or the other. They then have seven days to notify the APNSA and the administrator of OMB’s Office of Electronic Government of whether that guidance will be adopted.
A new law will help schools battle cybersecurity risks