If the Colonial Pipeline ransomware attack taught us anything, it’s that our critical infrastructure will continue to be a top target for cybercriminals. The World Economic Forum (WEF) called this rise in cyberattacks on critical infrastructure “the new normal across sectors such as energy, healthcare, and transportation." Cybercriminals are coming at us from all angles, looking to steal, manipulate, and hold data hostage.
As my colleague discussed in a blog earlier this week, The Biden administration released its Executive Order on Improving the Nation’s Cybersecurity. This Order, expected in response to the recent attacks to infrastructure (notably SolarWinds, Microsoft Exchange and Colonial Pipeline, aims to improve our national cybersecurity posture.
The majority of the nation’s critical infrastructure is privately owned and operated, but they are regulated by the public sector, making security a shared responsibility between the two. While the operator at the water treatment plant or the field service manager at the electrical grid are likely our first line of defense in recognizing a security threat, it’s the government, namely the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), that sets cybersecurity directives for the civilian part of the executive branch.
The recent Executive Order calls out the need for government and private providers of essential services to work together to effectively defend from the growing threat of cyberattacks. The White House noted in the fact sheet released with the Executive Order.
“The Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
The Executive Order calls for more information sharing between the public and private sectors and states that IT providers are sometimes hesitant to share details about a breach or cyberattack. This Executive Order calls for providers to share “breach information that could impact Government networks”, a direct response to the SolarWinds attack, where a routine software update led to breaches of a dozen or so government agencies (and many top private U.S. companies).
Power of the pen
According to analysis by Lawfare, a Presidential Executive Order wields more influence than a directive from CISA. Although a President can’t go so far as to make rules for private companies to follow, the language of an Executive Order can make private companies sit up and take notice.
“Depending on the terms—and depending on the desire of private-sector entities to compete for contracts under those conditions—this “procurement power” can be a significant lever to impact behavior outside the executive branch.”
While this directive is for the Federal government, it should be clear for any private entity that to remain competitive within the Federal government, they best follow the lead and get serious about buttoning up their security protocols. This uses the federal contracting process to create a domino effect that will reach the private sector.
Zeroing in on authentication and encryption
Cybersecurity is an expansive topic, and although the Executive Order covers a wide array of cybersecurity challenges, it’s very clear about the importance of implementing multifactor authentication and encryption for data at rest and in motion—and implementing it ASAP.
“Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
By zeroing in on authentication and encryption of data in motion and data at rest, the administration provides private companies a good place to start when making plans to beef up and modernize current security protocols.
Where do we start?
It can be difficult to know where to turn as you assess your security operations to meet the Executive Order requirements quickly. And 180 days is not a long period of time to ramp up solutions to get compliant with the Executive Order. Thales is in a unique position in that we can provide a host of security solutions under one roof, including authentication, data encryption (at rest and in motion). And having a single vendor is not only more secure, but it means faster procurement and quicker time to deployment. Thales helps protect the data and identities of many large private companies, including large infrastructure providers, as well as the Federal Government.