On May 12, 2021, the Biden administration made cybersecurity history by signing into order an executive framework that fundamentally shifts how we approach securing our country. The Biden administration’s five-pronged approach to modernizing and strengthening our nation’s cyber defenses comes not a moment too soon.
Ransomware has become our nation’s latest and most cunning adversary. Globally, we spent $173 billion on cybersecurity last year, yet we have more breaches than at any time in history—and they’re the most catastrophic breaches of all time, causing global economies and business transactions to come to a complete standstill and costing American taxpayers the equivalent of millions of dollars annually. Most recently, Colonial Pipeline paid nearly $5 million to Eastern European hackers, following a cyberattack that forced the first-ever full shutdown of its main pipeline and sent gas prices soaring.
SolarWinds, Microsoft Exchange, and now the Colonial Pipeline cyberattack have made it abundantly clear that the need for cybersecurity reform has never been greater. This is something that we all know, and this is something that the federal government has long been aware of. But what the Biden administration acknowledged Wednesday, and where cybersecurity history was truly made, is that cybersecurity solutions alone aren’t failing us. It’s the model that’s failing us.
Our entire approach to cybersecurity since the early 2000s has been about shoring up our perimeter defenses—keeping the bad guys out. Incidents like SolarWinds have opened the public’s eyes to the fact that attackers, our adversaries, are already in our networks. They’re already in our supply chains, and they already have access to our infrastructure. On the off chance that they haven’t already infiltrated our supply chains, they soon will—and to deny that would be a fundamental underestimation of our nation’s cybersecurity shortcomings.
In this executive order, the Biden administration mandated a new cybersecurity framework that puts cyber resilience front and center. These mandates go beyond prevention and detection strategies so we can stop minor incidents from becoming cyber disasters. Those newfound mandates are largely founded on a single framework: Zero Trust.
Google “Zero Trust” and you’ll find a million different definitions. A recent blog post by Forrester analyst Steve Turner puts it best, “Zero Trust is not one product or platform; it’s a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach.’”
Section 3 of the executive order states:
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity…The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services…and invest in both technology and personnel to match these modernization goals.”
In Section 3B, the order goes on to explain that within 60 days, the heads of each federal agency must develop a plan to implement a Zero Trust architecture within their organization. In section 4G, the order notes that agency heads must apply practices of least privilege (the concept of limiting access to all information, applications, and systems from all users and only granting access to those who require it), network segmentation (not allowing any user or communications to travel between clouds, networks, data centers, or applications unless explicitly stated—also known as Zero Trust Segmentation), and proper configuration within the next 60 days. These explicit instructions outline long acknowledged industry best practices when it comes to cybersecurity and Zero Trust.
In short, we can only expect this order to be as effective as those that abide by its mandates. The move to a Zero Trust architecture won’t be achieved overnight. But with this executive order and recognition that it’s time for meaningful change, I’m optimistic that we’re on the right path to bolstering our nation’s cyber resiliency. We’re on our way to a world where every incident doesn’t have to be catastrophic—and that should be our nation’s No. 1 priority.
Andrew Rubin is the CEO and cofounder of Illumio, a cybersecurity company.
