Quick Summary - CyberSecurity is in the news and in a big way with surging high-profile cyber attacks crossing the lines and continuing to run amok. In response, President Biden issued an Executive Order (EO).
Are the ransomware criminals shaking in their shoes? Should they be? And what does the EO mean for you?
7 mins read
June 23, 2021
President Biden’s Executive Order on Improving the Nation’s Cybersecurity comes on the heels of numerous major breaches. The attacks on Microsoft Exchange, Solar Winds, and the Colonial Pipeline seem to have stiffened the camel’s back, rather than breaking it. The vast majority (90%) of the EO sets out time tables over the next year by which US federal agencies with the help of private sector cybersecurity specialists must complete a wide range of studies, reports, policy updates, and create a metric butt-ton of paperwork.
It’s not exactly a “Declaration of War” against hackers and ransomware criminals if that’s what you were expecting. But, it reads a lot more like a letter to federal agencies and software developers demanding them to start preparing for war. It’s highly defensive in context, but realistically speaking, it’s necessary to be able to identify a threat in order to respond directly to it. So, the Cyber criminals out there aren’t quaking yet and it may be some time before they start.
It’s the other 10% that signifies a potentially dramatic shift to the future of software development. There certainly may be other points to follow with all of the paperwork, but three points stand out in Section 4 – Enhancing Software Supply Chain Security:
The SBOM is likened to a “list of ingredients” as you would find in any packaged food product, See also: National Telecommunications and Information Administration. For an SBOM generator, check out SwiftBOM.
The consumer labeling program and potential rating system are likely to be analogous to programs like the EU Mark and environmental impact ratings systems like LEED (except for security).
For Israeli and most other global companies, there may be an inclination to say, “So what? President Biden can only tell US Agencies what to do, right?” Sort of. However, US agencies and contractors may also require any third-party software and systems they use to also comply or they’ll switch to someone who does. By extension, this could impact organizations like NATO and/or lead to other countries adopting the same or similar standards. The EU Mark, for example, is a device for products attesting to their meeting EU product standards.
The impact will stretch well-beyond US government agencies. The inclusion of a consumer rating system alone stands as one indicator that concern also exists over the thousands of attacks against small businesses – compromising the personal data of millions of people. This element is only in the idea stage, so we’ll discuss it further at the end of this article.
Third-Party Contracts and Information Sharing – The mandate sets a new precedent for government agencies and organizations with which they do business to share information that historically hasn’t been. Government agencies will be reviewing their contracts and making adjustments to facilitate the sharing of CyberSecurity threats and unusual activity taking place via your software.
Software Bill of Materials – You’ll need to itemize all of the software components included in your software. This is huge, for reasons we’ll get to below.
Increased Demand for Security Specialists – The International Information System Security Certification Consortium (ISC2) in 2020 asserted a global need for an additional 3.1 million CyberSecurity specialists. This is likely to have the single largest impact for software development companies – whether startups or enterprises.
The Cost of Poor Software Quality in the US: A 2020 Report by Herb Krasner of CISQ takes a comprehensive look into the reasons and costs of software failures. It’s highly recommended reading for tech companies of all sizes and software engineering managers.
Open Source components are a very large area contributing to poor quality software. He cites the Synopsis Black Duck Audit database pointing out (among other thing) that:
Later in his report, Herb also talks about problems with “low code/no code” systems also introducing quality issues and vulnerabilities of their own.
SBOMs serve to identify all of the components used in a software product. Each component can then be examined for vulnerabilities according to a database. One can expect to need to fix these vulnerabilities if you’re doing business with a government agency or technology supplier.
CyberSecurity requirements vary by project and should be defined in the software specification. If it isn’t, you’ll want a security specialist to conduct a review of your project to determine what you will need. It’s advisable to have at least one member of your development team specializing in CyberSecurity — for small businesses and startups. Over time, you’ll want to ramp up your capabilities, as hackers and ransomware criminals target small businesses even more frequently than enterprises.
Requirements will vary according to the programming languages used in your software development and the nature of the software itself. The following table provides a quick reference of the languages, certifications, and skill sets you’ll want to consider.
Certifications are not always essential and can be compensated by appropriate experience in a number of skill sets including:
If you decided to hire a development team in Ukraine or even open an R&D center, this calculator helps you figure out how much it would cost.
The potential ramifications of this Executive Order are important enough to consider the thoughts of dedicated CyberSecurity specialists. We recommend:
These components are in the earliest stages of discussion. So, this is conjecture, but in a broader sense presents large-scale opportunities for businesses specializing in security systems.
At some point within the next year, it is likely that an existing agency will be forced to expand its role to cover the evaluation of software. There’s a lot of software out there. This is scary to even contemplate, suffice that there’s a chance that such a system will be deemed unviable. There are millions of software products.
The US Food And Drug Administration, responsible for evaluating “Software as a Medical Device” did adjust to a more Agile approval system under the Trump administration. The previous approval process could take months when the fix could be completed within a matter of hours.
Herein, the FDA’s new pilot program focuses on vetting of organizations instead of individual software products. Now, medical app developers are responsible for rapidly fixing defects and problems when they come to light instead of resubmitting for another lengthy delay before the next review is conducted. Medical apps represent only 4-5% of software applications, and from a much smaller pool of developers.
The most realistic scenario is that the US Government will issue contracts to existing CyberSecurity organizations to handle the certification process. While this is purely speculation, it’s a tip to pass along to any CyberSecurity professionals and organizations you may know to keep an eye on how this policy evolves.
