For a variety of reasons, some more obvious than others, it’s unreasonable to expect federal and local governments to develop the software that supports their day-to-day operations. So they turn to solutions provided by private companies. This is really a win-win situation; the government gets access to best-of-breed solutions developed by experienced companies, and the vendor secures funds that help spur innovation that’s available to the public and private sector alike. After all, it was a government-funded project that led to the development of the internet that we know and love today. But what about the security implications of this relationship?
Recent events have shattered any assumption that if governmental agencies, like the U.S. Departments of Defense and Homeland Security, use a piece of software, it must be secure. And this isn’t necessarily due to a lack of diligence on the government’s side; some threats, like ones introduced further up the supply chain, are simply out of their hands.
While the SolarWinds breach was, and still is, highly cited, it’s for good reason. This incident is a shining example of the implications of an attack that originated several degrees of separation away from where an application was actually being deployed. This is arguably the very definition of a supply chain attack. It’s attacks like this one, which compromise governmental operations and critical infrastructure, that led to President Biden stepping in.
On May 12, 2021, President Biden issued Executive Order (EO) 14028, setting in motion efforts to pay closer attention to potential threats introduced earlier in the supply chain. While the order primarily charged multiple agencies with directives that are still in the process of being fulfilled today, it laid the groundwork for what can be expected moving forward. However, if you’re in the private sector and do not do business with the government, you’re most likely left wondering whether this will affect your organization at all. Without knowing anything about you or your company, I can still confidently say that it does. There are a couple examples from the past that serve as precedent.
This most recent EO certainly isn’t the first time that the government stepped in to help combat cybersecurity threats. In 2013, the Obama administration issued EO 13636, which outlined the responsibilities of federal departments and agencies in improving the cybersecurity of critical infrastructure. As a result, NIST gathered several key stakeholders to develop what is known today as the Cybersecurity Framework (CSF). This framework provides a common language to help organizations understand and manage their current cybersecurity posture. Basically, it helps entities understand the types of risks they face, and how well-positioned they are to handle them. With this information, necessary improvements can be made to reduce risk.
The primary stakeholders of the CSF have always been private sector operators of critical infrastructure, such as pipelines and power grids, but the CSF has grown to be adopted by a diverse set of organizations and governments across the globe. Some of the more notable companies that leverage it include JP Morgan Chase, Microsoft, Boeing, Intel, Bank of England, and the Ontario Energy Board. While none of these companies are required to adhere to the CSF, they took advantage of it to shape their programs and secure their businesses. Considering that the newest EO makes a call for input from industry experts, one can reasonably expect software vendors and consumers to turn to it for guidance.
For another example of federal policies making it into the private sector, we can look at NIST Special Publication (SP) 800-161. The NIST 800 series is a set of policies, procedures, and guidelines specified by the United States federal government. 800-161, first published in 2015, was originally intended to help federal agencies address the supply chain integrity of the software they use. Since then, it has been revised and adapted by a variety of governmental and non-governmental organizations wishing to solidify their supply chain risk management programs. This publication has become so relevant that it has worked its way into international standards—it has been mapped to ISO 20243.
While I haven’t been very subtle in making my point thus far, plainly put, you do not have to be in, or work with, the public sector or critical infrastructure to be affected by the latest cybersecurity executive order. The outcomes of initiatives such as these tend to become guiding principles and de facto standards in the industries for which they apply. And this is for good reason. These processes typically involve a collection of the topic’s greatest minds and experiences, rallied behind one joint cause. Taking advantage of the results is simply prudent and efficient.
So as a software producer and vendor, you probably want to get ahead of the game and start preparing for what might be asked of you by the consumers of your products. By taking hints from EO 14028, you get a solid picture of what to expect and where to start.