News Insights: Biden DoD Cybersecurity 2FA Mandate

President Biden issued a new directive intended to strengthen cybersecurity within the Defense Department and intelligence agencies. The directive mandates the use of two-factor authentication and encryption for systems that include the Defense Department and intelligence agencies.

Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems | The White House

News Insights:

Tim Erlin, VP of strategy at Tripwire:

“Today’s memorandum is a follow-up to the Executive Order released last year, and demonstrates that the administration’s strong commitment to cybersecurity continues.  It sets a number of additional and more specific deadlines for the NSA, DoD and the Intelligence Community systems.

The memorandum touches on many aspects of the original executive order, including promoting Zero Trust Architecture, implementing encryption, and improving data sharing about incidents.

It may be difficult for the average person to parse what’s happening here, but these kinds of artifacts, memorandums and Executive Orders, are key components in effectively operationalizing broadly applicable policy changes. For example, the inclusion of Zero Trust in this memorandum and in the Executive Order will cause agencies to make specific decisions about what technologies to purchase and implement. These are not surgical changes, but sweeping ones. There’s simply a lot of work that has to go into standardizing cybersecurity across such a large IT footprint. A government-wide shift in cybersecurity policy and implementation will take time, but it’s important that agencies lay out a plan and measure execution against that plan to protect our critical infrastructure.

Zero Trust Architecture holds a lot of promise as a defensive security control. Preventing attackers from accessing resources, and limiting which resources are accessible, is a great strategy, but there’s a big gap between the specification on paper and the realized implementation. These are the gaps that attackers will attempt to exploit.”

James McQuiggan, security awareness advocate at KnowBe4:

“As with similar requests from the Biden Administration last year to organizations, it is crucial to see the need to document all assets, implement zero-trust requirements and multi-factor authentication added to user accounts accessing National Security Systems.

CISOs must maintain asset lists within organizations, so the proper processes and tools are available to protect those systems. If they are unaware of what they have, it is challenging to protect and becomes their weakest link.

It is important to consider that it is not a silver bullet with MFA and will not necessarily prevent attacks. It is rather a deterrent and thus makes it a little harder for cybercriminals to gain access.

One missing item from the order is education around and the creation of a solid security culture among users. When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyberattack.”

Mark Manglicmot, VP of Security Services, Arctic Wolf:

“The line item in the Biden cyber memorandum that includes accountability for federal contractors may be the most important part here as the Defense Department and the security industry play by team sport rules – and to ensure collective cybersecurity – federal contractors need to as well. Federal contractors must be held to the same rigorous standards as the federal agencies that they support. The memo rightly points out something the industry is unfortunately too familiar with – security is only as strong as its vulnerabilities.

Agencies being required to identify their national security systems and report cyber incidents that involve them to the NSA aligns with the advice that industry often tells customers. To defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.

A sorely recent example of this is Log4Shell. In the immediate aftermath, every organization rapidly attempted to identify and mitigate the exploit in the vast array of tools and services that drive modern business and connectivity. The situation exploited a weakness in a fundamental part of what were considered strong security postures. So many organizations remain underprepared for this kind of issue and are stuck in the dark when it comes to fully knowing their technology stack. If IT teams don’t have a holistic view of their network from the start, swift and decisive action is rendered nearly impossible. Centrally collecting incident data allows for better trending to be identified and thus improve predictive capabilities.

New security standards and testing requirements for security tools are key. Having a well-known standard sets a baseline that can be enforced and improved up on. Testing is part of a mature security program to test its effectiveness and technical controls. Without testing, it’s unclear just how effective the implementation of these controls is – much less how to improve it as the threat landscape evolves.

In addition to standardizing testing, putting experienced practitioners into leadership roles helps ensure things are clearly defined with practical guidance. Just as it is critical to have a human element to contextualize tools’ output and alerts, it’s important to have industry professionals at the leadership level to do the same for this level of guidance. This shows again how seriously the administration is taking this national security issue.

Andrew Howard, CEO of Kudelski Security:

These baseline standards have existed under the government’s NIST 800-37 Risk Management Framework for a long time but were not always deployed unless the computer system had significant confidentiality, integrity, or availability concerns.  More ubiquitous deployment of multi-factor authentication and hard disk encryption across government systems is a prudent step.  The government’s footprint of systems is huge and a strong baseline is a good idea.

W. Curtis Preston, Chief Technical Evangelist, Druva:

“President Biden’s national security memorandum is one of the biggest directives taken to date to secure our nation’s critical systems. Cloud-based technologies have already proven their agility, flexibility and security compared to hardware-based alternatives. A requirement for federal agencies to more widely deploy cloud technologies will greatly assist in strengthening our nation’s defenses and can immediately help minimize the impact of ever-increasing cyber attacks.

These government-led initiatives are essential if we are going to drive change and ensure resilience for all. The President’s move will lay a critical pathway for concrete government action, as well as providing an example on how private organizations should protect their employees and their data.”

Rebecca Krauthamer – Co-Founder, CPO || QuSecure 

“The aim of the executive order is to standardize cybersecurity requirements for national security systems across all agencies to present a directed and unified front against emerging cyber threats, most notably the very real threat quantum computers pose to today’s encryption standards. 

In the past several years quantum computing research and development has sparked serious international competition among countries vying to be the first to build a powerful quantum computer that would be able to, among its various awesome capabilities, devastate our cyber security infrastructure. The reason bringing systems into post-quantum cryptographic compliance cannot wait until the day a sufficiently powerful quantum computer comes online, it comes down to SNDL, or store-now-decrypt-later data harvesting schemes where data is stolen and shelved until the hacker has the computational power to decrypt it. Data often has a shelf life – think bank account information, social security numbers, and national security secrets – so data whose secrecy needs to outlive the next several years when a sufficiently powerful quantum computer is likely to come online, needs to be encrypted in a post-quantum resilient way immediately. This executive order is a significant step in adequately addressing this risk for the US.

The order will help drive updates to classified systems, and should soon drive post-quantum cyber security standards and compliance in highly regulated sectors including finance, healthcare, commercial aerospace.”