Biden's executive order recognises the growing threat that cyber security brings to government and private organisations. So, what does it mean for the Internet of Things?
After a year in lockdown, in which digital technology has made a major leap forward, cybercrime has moved centre stage. In the US, a series of major hacks, prompted President Biden to issue an ambitious executive order focusing on cyber security. This piece of legislation plans to overhaul cyber security in the US and will have far reaching implications for any business using technology such as the internet of things.
The order promises to create a body which would investigate hacks in the same way as the National Transportation Board currently examines plane crashes. It comes after the US was rocked by a spate of hacks including the extortion of the colonial pipeline which sparked fuel shortages and panic buying across the southern US. Hackers also hijacked the software of Texas company, Solar Winds, to access thousands of official emails.
These hacks illustrated how devastating cybercrime can be and how vulnerabilities among commercial companies can be used to breach government security. Third party cyber crime is a serious but still relatively misunderstood threat. A recent studyfound that, although 83% of companies feel third party cyber risk is growing thanks to Covid-19, only 40% are expanding their third party risk management programs.
This is great opportunity for cyber criminals - not so great for everyone else. As good as an organisation's defences are, a third party carrying a flaw can undo all that good work. With government organisations upping their use of third party vendors, this represents a serious weakness in their defences. This Executive Order is Biden's attempt to fix it.
Among the most significant provisions are:
Better sharing of threat information between the government and private sector. IT service providers will share information with the government, including certain breach information.
Boosting the security of cloud services in federal government with a zero trust architecture which requires multifactor authentication and encryption.
Establish minimum security requirements for all software suplied to the government. Providers will also have to provide more visibility for software to make security data available to the public.
A cyber security review board which will meet after any major cyber incident. It will analyse what happened and make recommendations.
Create a playbook for federal organisations to govern responses by federal departments and agencies. The book will enable agencies to meet certain standards and take uniform action.
Increase the ability of Federal government networks by developing the detection of malicious activity with an endpoint detection and response system.
Introduce event log requirements for federal agencies.
The executive order follows up on the Internet of Things Cybersecurity Improvement Act which was signed by Donald Trump. That legislation acknowledged the implicit risks of IoT and aimed to provide a greater incentive for IoT providers to secure their devices.
Technically, this EO only applies to government organisations, but it is intended to act as a north star example, boosting security across the board. Those providers looking to work with the government will also have to ensure their own systems are up to scratch. Upping the expectations of breach notifications for providers aims to reduce the window through which malicious actors can launch attack against the government.
These rules, therefore, signal the direction of travel. The government intends to lead the way bringing the private sector with it. Any company looking to engage with the government will have to ensure they meet its standard.
To do so, you can build upon existing systems. This is not a time to reinvent the wheel, but an opportunity to identify where systems have been lacking and to improve both security and reporting provisions to tighten the window of opportunity for hackers. Most importantly, this legislation shows companies of all kinds where they need to go, and what expectations will be. Although this is only in the initial stages, it's never too early for businesses to start preparing.