InfoSec Insider

Biden’s Cybersecurity Executive Order Puts Emphasis on the Wrong Issues

David Wolpoff, CTO at Randori, argues that the call for rapid cloud transition Is a dangerous proposition: “Mistakes will be made, creating opportunities for our adversaries.

It’s no secret that foreign adversaries are making a concerted effort to target U.S. government agencies and companies. As technology advances and foreign superpowers gain influence, the game is shifting beneath our feet here in the U.S. Motivated in part by the extent and consequences of the SolarWinds breach, and the more recent Colonial Pipeline ransomware incident, the Biden administration released an executive order (EO) to enhance cybersecurity.

In many ways, the SolarWinds breach and Colonial Pipeline attack represent an uptick in the blast radius of cyberattacks, as it puts on display just how interconnected — and interdependent — the systems are on which the U.S. relies. What this means for defenders: They are fighting down in the trenches with Russia and China, whether they realize it or not.

Let’s Not Do a Rush Job and Create Opportunities for Our Adversaries

As a career hacker and someone who is actively working toward a more effective and well-conceived cybersecurity process, I have long been on the side of aggressive progress, but in the U.S. we have been starved for any sort of official regulation of cyber-infrastructure for many years now. This has led to an era I call the Wild West of cyber, in which anyone could be attacked at any given time without repercussion. In that vein, I am thrilled that our leadership is taking steps toward administering an effective structure for the future. The EO can’t prevent the attacks themselves, but can alter our response.

However, the EO raises a lot of questions, and asks for “bold and significant changes” to tight deadlines on complex systems — tethered to a significant shift in technology. It puts heavy emphasis on migrating traditionally on-premises systems to the cloud, and calls for rapid change in the name of security, but it does not address the issue of the interconnectedness of a cloud migration. If we move too fast, while attempting to shift to the cloud, we will create more issues.

Mistakes are opportunities for hackers. A rapid transition from in-house infrastructure to the cloud has to be done well, or an already tenuous situation might well become far worse. The pressure to move fast is immense, but it’s critical to make sure we don’t increase risk by rushing and overwhelming our extremely complex institutions—and creating a dream scenario for an adversary in the process.

I make my living taking advantage of rush jobs and sloppy IT handiwork. Urgently configured cloud migrations make my job a breeze, especially when we’re taking solutions that weren’t secured well in the first place, to a new cloud environment.

Imagine this scenario: One of our many federal agencies is tasked with migrating a predominantly on-premises system to the cloud to enable remote access for employees. Sensitive information connected to the internet will inevitably expose more things to hackers.

Rearchitect for the Cloud, but with Eyes Wide Open

So, how do we keep our adversaries at bay while we rethink the security of some of our most vulnerable institutions?

We need to be smart, methodical, and purposeful as we transition these vulnerable institutions to the cloud. Shifting to the cloud creates an ever-expanding perimeter, in other words an attack surface, and moving core assets to the cloud produces unknown risks from shadow IT and forgotten infrastructure.

I applaud the emphasis on the zero-trust security model, but am given pause when reading the word “practicable” in the following EO clause. It gives federal agencies a Get Out of Jail Free card when “zero trust” is too hard:

“To facilitate this approach, the migration to cloud technology shall adopt zero-trust architecture, as practicable.” 

When zero trust is not “practicable,” it creates an opportunity for adversaries in Russia, or China, or Iran. When it comes to our nation’s security, we can’t call something impractical, we need fail-safes for our fail-safe. We need to build in resiliency, and that requires stress testing the entire security program.

Federal institutions need time to migrate safely. They need a way to discover and continuously monitor their attack surface, and alert security experts on changes or potential attack targets.

Don’t assume I believe the cloud is less secure. I don’t. To me a database is a database, whether it’s on premises or in the cloud. My concern stems from the potential weaknesses exposed during a hasty migration.

Resiliency, Redundancies and Stress Tests

In the modern era, there is no longer such a thing as a secure system, and trying to quickly rearchitect a system is a recipe for introducing more flaws. The focus needs to shift toward creating resilient systems, which can sustain coordinated and well-resourced attacks without losing operational capabilities.

Resiliency is easier to talk about than achieve. How do you create lots of “hoops” for an attacker to jump through without knowing what’s possible, or where you’re weak? How do you know if the layers of defenses you’ve laid work? You need to know where you’re weak on your perimeter and the most likely place for an attacker to strike. Knowing you’re weak is only half the battle—compromise is inevitable, but breach isn’t. You need to stress-test individual components and the system as a whole. Like any other high-value system, you need to build in layers of defenses and controls to act as redundancies.

The EO addresses many critical components to building a resilient system, yet all the effort could be undermined by a hasty cloud migration that doesn’t deeply examine how to secure an extremely interconnected cloud system. And while understanding the code that makes up our hardware and software systems is important (which takes up much of the EO), its pursuit is keeping us locked in a reactive security strategy, when what we really need is to get proactive.

David Wolpoff is CTO and co-founder of Randori.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles