Live From RSAC: Anne Neuberger Addresses President Biden’s Executive Order on Cybersecurity

Live From RSAC: Anne Neuberger Addresses President Biden’s Executive Order on Cybersecurity

Chris Wysopal By Chris Wysopal
May 21, 2021

Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, addressed President Biden’s executive order at the virtual RSA Conference this week. The executive order, announced on May 12, 2021, aims to safeguard U.S. cybersecurity and modernize cybersecurity defenses.

As Neuberger explains, this executive order couldn’t come at a more critical time. The Biden administration was challenged with two cybersecurity incidents in the first 100 days – SolarWinds and Microsoft Exchange. Note that the session must have been pre-recorded because she didn’t even mention a third attack that disrupted the Colonial Pipeline.

The incidents proved three major lessons:

  1. Adversaries will look for any opening to attack, including the government’s suppliers.
  2. Partnerships are critical. The government needs the private sector, and the private sector needs the government.
  3. The government needs to modernize cybersecurity defenses.

“[These lessons prove that] we need to shift our mindset from incident response to prevention,” said Neuberger. “We simply cannot let waiting for the next shoe to drop be the status quo under which we operate.”

In the software development world, we call this being stuck in a “break/fix” mentality. It is better to build a software development process that causes less “breaks.” That enables you to deliver more software with less failures. We are starting to see cybersecurity learn from software development principals, shifting our cybersecurity problems to the left.

Breaches are more detrimental than most organizations realize. Neuberger noted two staggering statistics. In 2019, Accenture reported an average company spends $13 million per breach. And CIS and McAfee reported that cybercrime cost 1 percent of global GDP in 2018. Organizations are far better off spending the money to secure their applications, including demanding better from their vendors, than waiting for a breach. How many small businesses, schools, hospitals, or government agencies have an extra $13 million to spend on an unexpected breach?

What Neuberger didn’t mention is that that same study from Accenture cited an increase of 67 percent in cyberattacks over the past five years. And if cyberattacks continue at this velocity, Accenture calculates a total value at risk of $5.2 trillion globally over the next five years.

The president’s approach is proactive and includes modernizing cyber defenses, returning to a more active role in cybersecurity internationally, and ensuring that America has a better posture to compete. It was the SolarWinds breach that opened our eyes to the fact that we don’t have modern cyber defenses in place. Software supply chain security is of particular concern.

“The current model of build, sell, and maybe patch means that the products the federal government buys often have defects and vulnerabilities that developers are accepting as the norm with the expectation that they can patch later. Or perhaps they ship software with defects and vulnerabilities that they don’t think merit fixes …. That’s not acceptable,” said Neuberger. “Security has to be a basic design consideration.”   

Neuberger hinted that the executive order might require federal vendors to build software in a secure development environment. And that software leveraged by the federal government should include strong authentication, encryption and limit privileges. As for preexisting critical infrastructure that was built before the Internet, the order will need to find ways to ensure security and visibility.

How will we proactively dissuade foreign adversaries from attacking our software? That’s where a global alliance comes into play. Neuberger – like top executives from Amazon, Microsoft, and Cisco – is calling for an international coalition to promote our cybersecurity.

We need to prove to other countries that we hold cyber attackers accountable for the actions. We can’t just threaten retaliation, we have to act. Proponents of the coalition want to see countries stepping up to prosecute their cybercriminals. As The New York Times stated, “Among the recommendations in the report by the coalition of companies is to press ransomware safe-havens, like Russia, into prosecuting cybercriminals using sanctions or travel visa restrictions. It also recommends that international law enforcement team up to hold cryptocurrency exchanges liable under money-laundering and ‘know thy customer’ laws.”

Neuberger ends by saying “Bolstering the nation’s cybersecurity, safeguarding our critical infrastructure, and renewing America’s advantages broadly are fundamental to the Biden administration’s commitment to our national security strategy.”

One of my favorite statements from the executive order is “In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.” This is a fundamentally different vision than incremental improvements in detecting attacks. It’s a bold change and long overdue.

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.