InfoSec Insider

Biden’s Cybersecurity Executive Order Puts Emphasis on the Wrong Issues

David Wolpoff, CTO at Randori, argues that the call for rapid cloud transition Is a dangerous proposition: “Mistakes will be made, creating opportunities for our adversaries.

It’s no secret that foreign adversaries are making a concerted effort to target U.S. government agencies and companies. As technology advances and foreign superpowers gain influence, the game is shifting beneath our feet here in the U.S. Motivated in part by the extent and consequences of the SolarWinds breach, and the more recent Colonial Pipeline ransomware incident, the Biden administration released an executive order (EO) to enhance cybersecurity.

In many ways, the SolarWinds breach and Colonial Pipeline attack represent an uptick in the blast radius of cyberattacks, as it puts on display just how interconnected — and interdependent — the systems are on which the U.S. relies. What this means for defenders: They are fighting down in the trenches with Russia and China, whether they realize it or not.

Let’s Not Do a Rush Job and Create Opportunities for Our Adversaries

As a career hacker and someone who is actively working toward a more effective and well-conceived cybersecurity process, I have long been on the side of aggressive progress, but in the U.S. we have been starved for any sort of official regulation of cyber-infrastructure for many years now. This has led to an era I call the Wild West of cyber, in which anyone could be attacked at any given time without repercussion. In that vein, I am thrilled that our leadership is taking steps toward administering an effective structure for the future. The EO can’t prevent the attacks themselves, but can alter our response.

However, the EO raises a lot of questions, and asks for “bold and significant changes” to tight deadlines on complex systems — tethered to a significant shift in technology. It puts heavy emphasis on migrating traditionally on-premises systems to the cloud, and calls for rapid change in the name of security, but it does not address the issue of the interconnectedness of a cloud migration. If we move too fast, while attempting to shift to the cloud, we will create more issues.

Mistakes are opportunities for hackers. A rapid transition from in-house infrastructure to the cloud has to be done well, or an already tenuous situation might well become far worse. The pressure to move fast is immense, but it’s critical to make sure we don’t increase risk by rushing and overwhelming our extremely complex institutions—and creating a dream scenario for an adversary in the process.

I make my living taking advantage of rush jobs and sloppy IT handiwork. Urgently configured cloud migrations make my job a breeze, especially when we’re taking solutions that weren’t secured well in the first place, to a new cloud environment.

Imagine this scenario: One of our many federal agencies is tasked with migrating a predominantly on-premises system to the cloud to enable remote access for employees. Sensitive information connected to the internet will inevitably expose more things to hackers.

Rearchitect for the Cloud, but with Eyes Wide Open

So, how do we keep our adversaries at bay while we rethink the security of some of our most vulnerable institutions?

We need to be smart, methodical, and purposeful as we transition these vulnerable institutions to the cloud. Shifting to the cloud creates an ever-expanding perimeter, in other words an attack surface, and moving core assets to the cloud produces unknown risks from shadow IT and forgotten infrastructure.

I applaud the emphasis on the zero-trust security model, but am given pause when reading the word “practicable” in the following EO clause. It gives federal agencies a Get Out of Jail Free card when “zero trust” is too hard:

“To facilitate this approach, the migration to cloud technology shall adopt zero-trust architecture, as practicable.” 

When zero trust is not “practicable,” it creates an opportunity for adversaries in Russia, or China, or Iran. When it comes to our nation’s security, we can’t call something impractical, we need fail-safes for our fail-safe. We need to build in resiliency, and that requires stress testing the entire security program.

Federal institutions need time to migrate safely. They need a way to discover and continuously monitor their attack surface, and alert security experts on changes or potential attack targets.

Don’t assume I believe the cloud is less secure. I don’t. To me a database is a database, whether it’s on premises or in the cloud. My concern stems from the potential weaknesses exposed during a hasty migration.

Resiliency, Redundancies and Stress Tests

In the modern era, there is no longer such a thing as a secure system, and trying to quickly rearchitect a system is a recipe for introducing more flaws. The focus needs to shift toward creating resilient systems, which can sustain coordinated and well-resourced attacks without losing operational capabilities.

Resiliency is easier to talk about than achieve. How do you create lots of “hoops” for an attacker to jump through without knowing what’s possible, or where you’re weak? How do you know if the layers of defenses you’ve laid work? You need to know where you’re weak on your perimeter and the most likely place for an attacker to strike. Knowing you’re weak is only half the battle—compromise is inevitable, but breach isn’t. You need to stress-test individual components and the system as a whole. Like any other high-value system, you need to build in layers of defenses and controls to act as redundancies.

The EO addresses many critical components to building a resilient system, yet all the effort could be undermined by a hasty cloud migration that doesn’t deeply examine how to secure an extremely interconnected cloud system. And while understanding the code that makes up our hardware and software systems is important (which takes up much of the EO), its pursuit is keeping us locked in a reactive security strategy, when what we really need is to get proactive.

David Wolpoff is CTO and co-founder of Randori.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles

Cyberpunk 2077 Hacked Data Circulating Online

CD Projekt Red confirmed that employee and game-related data appears to be floating around the cyber-underground, four months after a hack on the Witcher and Cyberpunk 2077 developer.

Discussion

  • Andrew Marshall on

    Always assuming you believe there is such a thing as the Cloud, there isn't; it's just somebody else's computer. A cloud migration means trusting that a third party will look after your interests as well as you can. Generally there's no contractual compulsion to do so, and the Cloud providers liability is limited. Inevitably, your risk profile increases the further into the mythical Cloud you go.
  • Shirley Zhao on

    the question is whether to adopt innovative decisions or not, and when. It is impossible to solve the security problem, calling it a stress test or anything else. Building on a business case, an organization can take a risk-based approach and build security controls. Security problems are unfortunately inherent.
  • Kyle on

    At least cloud providers understand baselines unlike the majority of companies out there. The problem is that that same majority is getting suckered into P2V conversions that run "in the cloud" because they're too cheap to rebuild their infrastructure with the proper security measures. Buzzword bingo and shitty sales consultants that push tech without understanding what they're pushing will be the undoing of our industry.
  • Kris on

    This is 100% true. SO much of the cloud is in beta right now and the politicians in Washington have no idea. As someone who has worked red team, cybersecurity, devops, this is a mistake. But honestly this President has shown to be asleep at the wheel on most things that matter. You can't legislate from the EO no matter what party is in office. You have to change our bureaucracies from the inside.
  • Jonathan on

    I would love to see how the government plans to move HMIs and PLCs to the "cloud". OT to the cloud is a pipe dream and a complete waste of time. Buzzwords are not effective policy.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.