“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.”
So begins the May 12, 2021, Executive Order on Improving the Nation’s Cybersecurity released by President Biden and aimed at improving the US Federal Government’s cybersecurity posture. The executive order to protect federal networks and data came on the heels of two significant cyber attacks. The Colonial Pipeline ransomware attack shut down gas to much of the East Coast in the US for five days and reportedly cost the company USD 5 million to recover its stolen data. The SolarWinds supply chain attack was a Russian-backed attempt to commit cyber-espionage against the U.S. Federal Government and other high-profile targets.
Though the executive order was expected, its language was much stronger than experts anticipated. This effort to bolster the US’s cybersecurity defenses places strict new standards on the security of any software sold to the Federal Government. It also sets up a Cybersecurity Safety Review Board, which could lead to a government rating of the security of software similar to a car’s safety rating. The bottom line is the US government is forcing software companies to practice better security hygiene or risk being shut out of federal contracts.
Reinforcing the message of the executive order, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology in the Biden administration, presented a keynote address at RSA Conference 2021. In her address, she stated, “Cybersecurity is a matter of national security,” and that “the stakes couldn’t be any higher.” She called out supply chain attacks as an area of particular concern. Neuberger also stressed the importance of shifting from a mindset of incident response to one of prevention as cybersecurity defenses are modernized.
The Biden administration is making cybersecurity a priority not only because of the impact of recent attacks on critical infrastructure, but also due to the staggering cost of these incidents, which is often passed on to consumers. According to Ponemon Institute’s Cost of a Data Breach Report 2020, the average cost of a data breach worldwide is USD 3.86 million. In the US, that number jumps to an astonishing USD 8.64 million. The Biden administration hopes that by mandating standards for the Federal Government, other smaller organizations such as schools, state and local governments, and small businesses will also benefit.
The executive order outlined a number of key initiatives to combat the increasing sophistication of cyber attacks from both nation states and cyber criminals going forward. They include the following:
“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.”
Software supply chain attacks were one of the main focus areas of Biden’s executive order, which isn’t surprising given the far-reaching impact of the SolarWinds attack on the Federal Government.
Under the executive order, the US Department of Commerce’s National Institute of Standards and Technology (NIST) is tasked with publishing preliminary guidelines for enhancing supply chain security within 180 days. This includes defining criteria for evaluating secure software development environments as well as identifying innovative tools or methods that demonstrate conformance with secure practices. Final guidelines are due within a year.
The supply chain guidelines mandate identifying and using automated tools to maintain trusted source code supply chains that ensure the integrity of the code. The guidelines direct federal consumers to check for known or potential vulnerabilities and remediate them on a regular basis as well as to monitor the integrity and provenance of any open source software used within any portion of a software product. In addition, the guidelines also state that purchasers should be provided with a Software Bill of Materials – also known as an Inventory Report – for every software product.
Mend gives you the visibility into your software as required by Biden’s cybersecurity executive order so that you can develop better, more secure code. With Mend, developers and security professionals are given the tools to regularly scan code to identify and remediate known open source vulnerabilities. We also allow you to generate a detailed Inventory Report so that you can identify the components in your software and therefore understand the risks involved in using them.
Mend Diffend is yet another tool in your secure supply chain arsenal. Diffend is a multi-dimensional tool that scans packages and analyses their behaviors to help prevent supply chain attacks. It allows you to inspect changes in packages before they are allowed so you can control the entire process of open source dependency use.
Mend Diffend was created to help protect open source users against software supply chain attacks and has already proven itself to be extremely effective at detecting and blocking attempts at malicious exploits. Mend Diffend had already detected and reported hundreds of malicious packages that were swiftly removed from their registry to protect open source users from accidentally installing malicious code.
With known open source vulnerabilities constantly on the rise, you need an automated tool that gives you visibility and control over your software and helps you develop in a secure environment. Not only does using a tool like Mend make good sense, but it could be the difference between securing or losing a federal contract.
The cybersecurity executive order will have a significant impact on the private sector. Biden is using the power of federal procurement to impel the software industry into creating more secure products. By leveraging the purchasing power of the Federal Government, Biden and his team are hoping that software companies will build security into all software from the ground up, which will have more far-reaching benefits than just for the Federal Government.
Much of the executive order focuses on increased transparency between the public and private sectors as well as adopting the best tools and practices for the job. The ultimate goal is to shift away from incident response to focus on prevention. By building a more secure Federal Government, Biden is hoping to build a more secure global software industry.