Effectively Execute on the New Cybersecurity EO with an Active vs. Passive Security Posture

Cybersecurity EO

By Klaus Oesterman, CEO & President, BedRock Systems

The Biden Administration’s recently released Executive Order (EO) on Improving the Nation’s Cybersecurity has highlighted the increasing importance of modernizing cybersecurity infrastructure. And it couldn’t be more timely, as the U.S. government and critical infrastructure continues to deal with the ramifications of major breaches that have proven we can no longer afford the same old response to cybersecurity. 

The long-awaited EO focuses on modernizing cybersecurity defenses of federal infrastructure, improving collaboration between the public and private sectors, and solidifying the nation’s ability to respond to cyberattacks. The mandates within make it clear: It’s time for a nationwide shift to turn cybersecurity on its head for both OT and IT systems. The EO states “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” …”The scope of protection and security must include systems that process data (IT) and those that run the vital machinery that ensures our safety (OT). 

Think of it this way: In high security facilities and buildings there are active guards monitoring the entrances, exits, and hallways. We don’t wait for alarms to sound to secure these buildings, they’re already actively protected. If we continue to approach cybersecurity in a passive way, bad actors will remain one step ahead. To truly modernize cybersecurity, we have to do it differently and embrace an active posture

No one wants to do the heavy lifting, they just want something that works, a software solution. Deploying more tools to monitor and detect new threat vectors may generate more data, but it doesn’t help find the needle per se, it just makes the haystack bigger and harder to pinpoint and typically by the time it is detected, the damage is already done. The issue is the cost of remediation and restoration – monitoring and detection is lagging – if we can stop it before “it gets in” – like the guards – they can’t get further into the building.

Organizations need to reduce the complexity of cybersecurity and require a secure foundation of trust with active security to move away from software only solutions and secure the stack from the bottom up.

While the EO highlights areas of focus, it will be easier said than done to execute on these mandates. A few of the sections that caught our attention:

  • Modernizing Federal Government Cybersecurity: Calling for the modernization and implementation of stronger cybersecurity standards within the federal government, this section includes mandates around the execution of cloud services, zero-trust architectures, multi-factor authentication (MFA) and encryption. 
  • Enhancing Software Supply Chain Security: To improve software supply chain security, this section establishes baseline security standards for the development of software sold to the government, requiring developers to maintain visibility and make data publicly available.
  • Improving the Federal Government’s Investigative and Remediation Capabilities: In an effort to improve investigative and remediation capabilities, this section of the EO requires the creation of a cybersecurity event log for all federal departments and agencies.

To effectively execute on these and other elements of the cybersecurity EO, organizations will have to shift their approach to security from passive to active. We must move away from an OT and IT system design that is based on best effort detection and monitoring (passive) towards one that is built on the implementation of an unbreakable and trusted computing base (active). 

BedRock helps organizations take an active approach to cybersecurity, whether it is Zero Trust or increasing your Cyber Resilience in a contested environment, we change the asymmetry to favor the defender over the attacker.  We have the capability to do that now with BedRock. 

Contact us today to see how BedRock can help your organization execute on the new EO initiatives and secure your organization against future cyber attacks.

Share This Post