By Charles Joseph | Cybersecurity Advocate
On May 12, 2021, U.S. President Joe Biden signed Executive Order 14028: “Improving the Nation’s Cybersecurity.”
The order arrived on the tail of a series of disastrous cyberattacks, including the Colonial Pipeline ransomware crisis. It instructs federal agencies to adopt new cybersecurity safeguards and standardizes incident response protocols.
But just what is the order designed to accomplish? And what implications does it have for the wider public?
Executive Order 14028 at a Glance
- Executive Order 14028, created in response to a wave of cyberattacks against the U.S., establishes cybersecurity as a high priority for the federal government.
- Under the order, software companies and service providers that work with the federal government will be required to undertake greater cybersecurity precautions and provide greater transparency about their products.
- The federal government will respond to cyber incidents using a new standardized playbook, comprehensive logs and a review board comprised of both agency officials and private security experts.
- Consumers will also see the benefits of the order in the form of new cybersecurity information labels for software and IoT devices, which will help them choose more secure products.
Everything You Need to Know About Cybersecurity Executive Order 14028
What Is Cybersecurity Executive Order 14028?
Cybersecurity Executive Order (EO) 14028, signed by President Biden on May 12, 2021, calls on federal agencies to improve their cybersecurity practices.
It emphasizes software supply chain security, modernized security architecture, and more transparent security information sharing between the public and private sectors. The EO also establishes the Cybersecurity Safety Review Board, a group of government officials and private cybersecurity experts charged with managing responses to cyberattacks.
Why Was Cybersecurity Executive Order 14028 Created?
In 2020 and 2021, a series of sophisticated cyberattacks struck governments and private companies around the world, with the U.S. in particular being hit especially hard.
It began in or before March 2020, when a Russian government-backed hacking group breached SolarWinds, which provided network monitoring software to the U.S. government. The hackers also breached Microsoft cloud services and VMware, giving them even more avenues to access government data.
For at least 8 months, the hackers were able to access emails, documents, court files, source code, cryptographic certificates, and other sensitive data. The breach wasn’t acknowledged until December, by which time it had impacted the Treasury Department, the NSA, the NIH, the FAA, the Department of Justice, and even the Cybersecurity and Infrastructure Security Agency (CISA) itself.
The attacks continued in January 2021, when the Microsoft Exchange email and calendar server software was compromised by four separate exploits. 250,000 servers around the world were affected, including 30,000 in the U.S., and international targets included the European Banking Authority and the Norwegian parliament.
Microsoft investigated the attack and concluded that it was likely perpetrated by a Chinese government-sponsored hacking group. China denied any involvement, but the U.S. was still alarmed by the apparent surge in state-sponsored cyberattacks.
In May 2021, much of the eastern U.S. was impacted by a ransomware attack against the Colonial Pipeline, which provided 45% of the region’s gas and jet fuel. The computer systems that managed the pipeline were locked down and held for a 75 bitcoin ($4.4 million) ransom by the eastern European hacking group DarkSide.
Under the FBI’s guidance, Colonial paid the ransom, but pipeline operations weren’t fully restored for 9 days. 87% of gas stations in Washington, D.C., ran out of fuel, and flights were diverted or canceled at numerous airports.
By this time, it was clear that cyberwarfare against the U.S., whether perpetrated by another nation or a civilian group, posed a massive threat. Six days after the Colonial Pipeline attack, President Biden signed EO 14028, signifying that cybersecurity was now a top priority for the federal government.
What Does Cybersecurity Executive Order 14028 Do?
EO 14028 contains nine sections, each addressing the need to modernize the nation’s cybersecurity standards.
Section 1: Policy
Section 1 of EO 14028 instructs the federal government to bring all of its Federal Information Systems (computer systems, whether on-site or cloud-based) up to a new, secure standard.
It establishes a partnership between federal agencies and the private tech sector, who will collaborate to create more secure products and make the nation’s cybersecurity infrastructure more transparent and trustworthy.
Section 2: Removing Barriers to Sharing Threat Information
Section 2 addresses contracts between cloud service providers, ISPs, software companies, and other contractors whose ability to share threat or incident information with governing bodies is limited by contractual language.
It requires such contractors to collect and store information about cybersecurity events, detection, investigation, and prevention, and to do so in an accessible, industry-standard way. This data must then be shared with the relevant agencies, including CISA.
Section 3: Modernizing Federal Government Cybersecurity
Section 3 names specific cybersecurity practices that federal agencies must now implement.
Its main focus is on zero trust architecture, which requires all users to be continuously authenticated and authorized to access official systems. Each user will only have access to the bare minimum of systems and data required to perform their job.
Federal agencies will need to transition their systems to a zero trust model, with an emphasis on secure, zero trust cloud computing. Multi-factor authentication will also be required, as will strong encryption for all data, whether at rest or in transit.
Section 4: Enhancing Software Supply Chain Security
Citing a current lack of transparency from software companies regarding the development and security of their software, section 4 seeks to boost the integrity of the software supply chain.
It calls on the government, academia, and the private sector to collaborate on a set of standards, tools, and guidelines regarding software security and development practices. These standards must be adhered to by any company producing software for federal government use.
The standards cover software development environments, authentication and encryption, cyber incident monitoring, vulnerability testing and disclosure, and source code supply chains. They also require companies to provide a Software Bill of Materials (SBOM) for each product, which lists all components, tools, and services used to develop the software.
Section 4 also establishes a pilot program that adds security labels and warnings to consumer IoT products and software. These labels may include security ratings that indicate cybersecurity test results, similar to the data provided by Energy Star appliance labels.
Section 5: Establishing a Cyber Safety Review Board
Section 5 creates the Cyber Safety Review Board, comprised of federal officials and private-sector cybersecurity experts.
The Board is tasked with reviewing and responding to serious cyber incidents, advising the government on cybersecurity response practices, and communicating cyberattack updates to the President.
Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Section 6 instructs CISA to develop a standardized playbook for planning and conducting responses to cyberattacks and vulnerabilities.
The playbook must be comprehensive but flexible enough to cover all manner of incidents. It must include guidelines for redundant verification of incident responses, as well as a full, standardized glossary of cybersecurity terms.
Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Section 7 empowers the federal government to use all appropriate resources to detect cybersecurity vulnerabilities and incidents on its networks.
An Endpoint Detection and Response initiative will be centrally deployed to support proactive detection of hackers and exploits across all agencies. This initiative will be implemented such that it does not disrupt mission-critical systems, but still allows the EDR team to actively hunt cyber incidents.
Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities
Section 8 mandates that agencies and their service providers maintain encrypted system and network logs, which can then be accessed by agency heads, security operations teams, CISA, and the FBI.
Section 9: National Security Systems
Section 9 exempts National Security Systems — those involving intelligence, weapons, military activities, and other matters of national security — from the EO.
Standards for these systems will be set by a separate National Security Memorandum. They will be equivalent to or stricter than those set by EO 14028.
How Does Executive Order 14028 Affect Me?
For the most part, EO 14028 pertains only to the federal government and its contractors.
Those who work for the federal government will find themselves undergoing stricter authentication processes when accessing official systems, and may lose access to systems that aren’t essential to their job tasks. They may also have to transition to new, more secure software as agencies are forced to switch to EO-compliant programs.
System logs, network logs, and cybersecurity incident logs will also become more commonplace — and more comprehensive. More detailed, protected record-keeping will be required, as will more inter-agency communication regarding cyber attacks.
Employees of cloud service providers, software companies, and other contractors will be required to beef up their security practices. The new SBOM requirement will necessitate a more thorough vetting of all tools and code used in government software, and components that aren’t up to standard must be replaced with ones that are.
For those who don’t fall into those categories, the most noticeable effect of the EO will be the new security labeling program for software and IoT devices. This will allow consumers to make more informed decisions about their tech purchases and find out which of their devices and software may be compromising their security.
However, private businesses and non-federal agencies are also free to adopt the standards set by the EO, and many will likely do so. This will not only open the door for potential government contracts in the future, it will also make the new regulations more effective — the more evenly they’re applied, the stronger they are for all.
Has Executive Order 14028 Been Effective?
Each section of EO 14028 contains its own deadlines for implementation, and not all of them have come to pass yet. But many have, and the effects are already noticeable.
For instance, the Cyber Safety Review Board has conducted reviews of the devastating Log4j vulnerability and the notorious Lapsus$ cyber extortion gang.
CISA has compiled and released its cybersecurity incident response playbooks. Meanwhile, the National Institute for Standards and Technology has released its Secure Software Development Framework and its Cybersecurity Supply Chain Risk Management Guidelines.
And according to the Linux Foundation, 76% of organizations surveyed are willing to change their policies to comply with the EO’s new software security requirements for federal software vendors.
Though there’s still a long way to go before EO 14028 is completely fulfilled, the progress made so far has gone a long way towards protecting the U.S.’s national computer systems from the ever-increasing threat of cyberwarfare.
Cybersecurity Executive Order 14028 makes significant changes to the U.S. cybersecurity posture and is well overdue.
It establishes a framework for organizations to share intelligence on threats, manage cybersecurity risks, and identify security weaknesses.
Join Our Community
EO 14028 Key Points
- Remove barriers to threat information sharing between government and private sector
- Modernize and implement stronger cybersecurity standards in the federal government
- Improve software supply chain security
- Develop a standardized protocol for dealing with potential cyber-security risks and incidents
- Improve investigative & remediation capabilities
- Service providers must share information about cyber incidents and threats affecting government networks
- Federal government shifts to secure cloud services & Zero Trust Architecture (ZTA)
- Deployment of multifactor authentication & encryption within a specific period
- Establish baseline security standards for secure software development
- Government and private sector leaders co-chair the Cybersecurity Safety Review Board (CSRB)
- Ability to identify/prevent cyber attacks on federal networks
- Federal departments/agencies are required to create a cybersecurity event log
The full Executive Order can be read here.
Unpacking Executive Order 14028: Improving the Nation’s Cybersecurity (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional