They compromised a Florida water treatment plant, held hospital IT systems hostage, infiltrated government agencies in the SolarWinds attack, and cut off one of the largest U.S. fuel pipelines. There's no doubt that malicious entities, from state-sponsored threat groups to basement-dwelling hackers, are growing more sophisticated, and they are increasingly targeting our critical infrastructure.
Fortunately, there has been an awakening for the importance of modernizing cybersecurity in our critical infrastructure - and it's about time.
On May 12th, President Biden signed an Executive Order (EO) to “improve the nation’s cybersecurity and protect federal government networks.” This EO comes shortly after the recent Colonial Pipeline ransomware attack and previous cybersecurity incidents that affected companies from SolarWinds to Microsoft.
Keyfactor commends the US government for its swift action to modernize the federal government’s cybersecurity. However, “federal action alone is not enough” and executive orders only go so far. A cohesive strategy cannot be accomplished without equal partnership and participation by the government and private industry.
This acknowledgment is a step in the right direction. However, this EO recognizes the reality that most of “our domestic critical infrastructure is owned and operated by the private sector.” So while the administration can encourage the private sector to follow the federal government’s direction, they need to find ways to encourage and incent participation from the private sector.
As Gartner points out, “cryptography is a critical infrastructure for digital business and, therefore, requires attention and investment.” Let’s break down the most important sections of the EO to where cryptography plays a role in securing our nation for the future.
Zero-Trust Architecture Takes Center Stage
Section 3 of the EO lays out orders for “Modernizing Federal Government Cybersecurity” and specifically calls out advancing in “cloud services and Zero Trust Architecture.” The federal government will be incorporating migration steps following the National Institute of Standards and Technology (NIST) standards.
What does this have to do with cryptography and identity?
As defined in NIST SP 800-207, Public Key Infrastructure (PKI) is an essential component to achieving Zero Trust Architecture. In fact, an executive survey recently showed that 96% of IT security leaders agree that PKI and digital certificates are essential to Zero Trust.
The EO outlines that Zero Trust Architecture “allows users full access but only to the bare minimum they need to perform their jobs.” A critical component for Zero Trust Architecture is the issuance and management of digital identities - both for humans and machines.
However, most companies focus almost exclusively on human identities, without addressing the increasing machine identity problem. The reality of the matter is, if you know that authorized users are only using authorized machines or devices, you have effectively cut the risk footprint for breach significantly.
Research shows that:
- 55% of organizations do not have sufficient IT security staff dedicated to their PKI
- 60% of organizations have no formal access controls for code-signing keys
- 40% of organizations still use spreadsheets to manually track digital certificates
This reality leaves a huge hole exists in Zero Trust Architecture that must be fixed.
Zero Trust for Machine Identities
Today’s legacy PKI and certificate management practices can’t handle the pace and scale of their machine identities. To obtain a zero-trust posture, companies are shifting to Cloud PKI as-a-Service and SaaS key management solutions to orchestrate these identities at scale.
Complete visibility into every digital key and certificate is crucial for an orderly and effective incident response plan.
The combined solutions of Keyfactor and PrimeKey give customers the assurance they are issuing secure machine identities that have been vigorously tested to current standards (e.g. FIPS, NIST, Common Criteria).
Our crypto-agility platform allows organizations to easily inventory certificates and keys in use and quickly and easily identify those encryption keys and machine identities that are not secure or require maintenance or rotation.
The use cases of PKI and certificates go beyond traditional enterprise use cases. Federal agencies and industries can use certificates to secure connected devices from traditional servers and workstations to the latest IoT devices.
Let’s see how this plays out in section 4.
Supply Chain Security Needs Crypto-Agility
Section 4 focuses on securing connected devices by “Enhancing Software Supply Chain Security.” The EO will require “developers to maintain greater visibility into their software and making security data publicly available.”
For example, they will require the vendor to provide the purchaser with a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website. The EO also creates a “pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely.”
IoT supply chain security has been getting more serious. In December 2020, the US government signed the IoT Cybersecurity Act into law, and subsequently, NIST released NISTIR 8259 guidance around how IoT vendors can implement security best practices including items such as:
- Secure firmware updates by utilizing identities and signing technologies to limit supply chain attacks
- Creating a unique identifier per device
- Using trusted hardware for storage for crypto keys
- Logging & traceability of security actions & operations on devices and applications
- IoT manufacturers must provide comprehensive SBOM to identify subcomponents where vulnerabilities might occur
- Building with crypto-agility in mind to update the roots of trust, algorithms, or key lengths during device life
While Section 3 makes huge strides in Zero Trust Networking, and we want to advance zero trust into supply chain manufacturing. We’ve been speaking about the importance of Zero Trust Manufacturing for a while now because supply chain security lacks a comprehensive and practical set of best practices.
As they say, “money talks.” The EO makes clear to use “the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.” Good security does not happen by accident but rather by deliberate and thoughtful design.
No More Kicking the Can
The need to protect the whole supply chain is not news in the security industry, as both hardware and software supply chains have become increasingly complex. Supply chain protection does not come for free, however, and a welcome effect of the Executive Order is that investments and best practices in cybersecurity are incentivized by procurement spending.
We have seen in other similar initiatives globally, such as the NIS directive in the EU, that an initiative like this has the potential to bring security to a more visible position in procurement. This forces security to be built into the design phase and enables procurement to spend on security avoiding solutions of lower cybersecurity maturity.
Keyfactor and PrimeKey have long experience in enabling machine and device identities directly at the start of the supply chain. From manufacturing and managing those identities over the whole life-cycle to including integrity-protected OTA software updates, and the identity renewals and revocations required by zero trust networks.
Our groundwork is already done with technical standards and guidelines such as the NIST Guidance on Internet of Things Device Cybersecurity, and the industry stands ready to supply solutions based on these guidelines.
While some vendors have suggested there should be “strict financial repercussions for any company” that fails to comply with the EO, repercussions are often not the most effective method to incentivize action.
The government’s own purchasing of software traditionally has incentivized the private sector to compete on price. Including good security in products and the supply chain requires investment and the government's purchasing policy needs to incentivize investment in security rather than using the current model of purchasing based mainly on the lowest price.
We've seen it a lot. Everyone wants expensive certifications, but no one wants to pay for them, making it more of a display rather than a reality.
Take for example FedRamp, a program mentioned in this EO.
FedRamp is a solid program for ensuring compliance with government standards for cloud service providers. However, FedRamp has become an expensive barrier for new cloud-based technologies that could serve the public sector well in protecting systems and offering better incidence response solutions.
These certifications can quickly become an albatross of both innovation and agility to the federal government when implemented.
We’re not done talking about this! Join a panel discussion as we break down the most important sections of the EO and answer your questions on where cryptography plays a role in securing our nation for the future.