The Biden administration’s May Executive Order on Improving the Nation’s Cybersecurity is the latest in a series of initiatives prioritizing national cybersecurity. Agencies are newly cognizant of the fragility of current security protocols, as demonstrated by recent breaches.
In a new MeriTV episode, MeriTalk sat down with Wanda Jones-Heath, principal cyber advisor (acting) and chief information security officer for the Department of the Air Force; David Markham, vice president at INTEGRITY Global Security; and Daniel Carroll, cybersecurity practice manager in the Dell U.S. Federal Office of the Chief Technology Officer, to discuss the cybersecurity executive order (EO), lessons learned, and what’s needed to help fuel continued cyber defense modernization.
For Jones-Heath, the cybersecurity EO sends a strong signal that the nation is urgently prioritizing cyber defense.
“Anytime that we elevate our awareness of cybersecurity, we’re going in the right direction,” Jones-Heath said. “This executive order actually represents the ninth EO that is related to cybersecurity. That means that we have a continuous focus on cybersecurity.”
“I think the EO is timely,” she added. “It gives us a renewed focus on cybersecurity at large.”
Markham also praised the EO, but noted the importance of shifting the cybersecurity mindset.
“Almost all the efforts on security today are reactive,” he said. “The idea of prevention has completely gone by the wayside. There needs to be an emphasis on capabilities that actually prevent malicious activity, not just react to it.”
Markham said one important step is enforcing stricter quality control for IT software and hardware solutions.
“The government can bolster preventative capabilities by expecting products to function properly,” he said. “The software industry is the only engineering discipline I’ve ever seen where the end product is expected to be broken when it’s ready for customer consumption. That mindset has to change.”
The Air Force is a prime example of that mindset changing, according to Markham. “They’ve been way above most organizations when they’re looking at supply chain,” he said. “They’re looking at it holistically, and are focusing on understanding how the power grid effects some of the military bases, as well as the impact of their IoT infrastructure on their IT infrastructure. That’s critical in today’s world.”
This mindset toward assumed compromise is highlighted in the cybersecurity EO, which guides agencies towards a zero trust framework as opposed to the traditional perimeter security framework.
“Zero trust has to do with the idea of continuous validation, confirmation of resources, and how they function within the network,” Carroll said. “The first discussions around zero trust were roughly in 2007, so I’d recommend avoid trying to reinvent the wheel. Take this EO in the spirit it’s intended, assess what you’re doing, and figure out how to improve. Don’t try to rewrite the book.”
“Remediation and detection is just part of the process,” Jones-Heath concluded. “But more focus certainly needs to be around prevention.”
For more on mindset shift and the do’s and don’ts that will help the United States to deter escalating cyberthreats, check out the full interview.