How the May 2021 Biden cybersecurity EO set the industry in motion
Three years ago on May 12, 2021, the White House issued an executive order (EO) that called for adopting security best practices led by the federal government and its agencies to quickly and drastically improve the cybersecurity posture of the United States.
In this EO, President Biden issued 11 sections defining where improvements in policy, sharing of information, software supply chain cybersecurity, incident response, investigations, and national security systems should be made.
The May 2021 EO emphasized building Zero Trust Architecture (ZTA) through the establishment of a Cyber Safety Review Board. The common goal of all aspects of these orders was a call for greater collaboration between federal agencies, private sector organizations, and the rest of the intelligence community (IC).
Three years later, there have been tremendous wins from the prioritization of cybersecurity by both public sector agencies and commercial companies that interact with the data of United States citizens. There’s also been more of an effort made by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to enforce an adherence to the concept of ZTA in support of the EO’s third section around modernizing the federal government’s cybersecurity.
ZTA initiatives
ZTA represents one of the largest areas of progress that has been made in the nation’s cybersecurity since the release of the Biden EO. While still sometimes used as a buzzword that can lead to confusion, this EO defined ZTA as a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries. That definition has given birth to the model itself, being issued through collaborative efforts between CISA, the FBI, and the IC in September of 2021 and then again in “Version 2.0” released January 2022. In the updated model, a once inconsistently defined concept now has specific, achievable objectives that focus on identity, devices, networks, applications and workloads, data, and cross-cutting capabilities.
Many in the industry now view ZTA as a far-reaching concept that pervades almost every area within the security practice, as well as information and operational technology in general. But for those components that involve connections between the trusted environment and unverified internet infrastructure, our team has seen that rather than implicitly trusting domains unless or until there’s a reason to block them, it’s becoming increasingly popular since the release of the EO for organizations to automatically block all domains younger than a certain threshold.
Artificial Intelligence
The May 2021 EO did not factor AI in its plan for strengthening cyber resilience, yet the pace of change has rapidly evolved, leading to the discovery and exploitation of new vulnerabilities, despite an intentional response by most federal agencies to make improvements. AI focuses on helping computers learn on their own, adjust to new inputs, and perform tasks – all without human intervention. Made up of several different types of learning, AI has become useful in everything from IT security to robotics, deepfake videos, and real-time translation of conversations.
President Biden released an additional executive order in October 2023 calling for safe, secure, and trustworthy AI, but this release came a year after large language models (LLMs) such as ChatGPT and its peers had already seen widespread adoption.
The data most LLMs are training on has already been released and the pace of change has rapidly evolved within the cyber threat landscape, leading to the discovery and exploitation of new vulnerabilities, despite an intentional response by most federal agencies to make improvements. CISA has issued several advisories on the cybersecurity risks now faced by LLMs, deepfakes, and malware authoring, and the industry has adjusted as best it can.
In the years to come, the intersection between AI and cybersecurity will likely become more synonymous in the eyes of organizations in the United States and vetting LLMs will likely become a part of a security plan. There’s a great deal of work ahead, especially with the emerging field of AI, but now’s a good time to reflect on the real progress that’s been made. In many ways, the May 2021 EO set a blueprint for the challenges ahead and how the industry must respond.
Malachi Walker, security advisor, DomainTools