At a high level the executive order contains more-or-less what people had been expecting (there have been several reports about what it would probably contain ahead-of-time). It includes a significant emphasis on information sharing, software bill of materials (SBOMs) for all software used by the US federal government, Zero Trust, multi-factor authentication, and encryption.
These are all standard practice even for the unclassified parts of intelligence agencies, which is probably where they borrowed it from. Now applied to the Department of Agriculture.
I dunno - seems far more reasonable to reduce the amount of targets for baddies, especially since our current infrastructure is a much larger target rich environment than it should be!
Could someone comment on how effective using a yubikey is at protecting companies? If they are good, I'm not sure why they aren't used more. I spoke to a gov computer friend and he said they would never use a yubikey.
Is it a significant improvement over a cellphone app like Authy? Not really. Then, sophisticated people need secure enclaves for signing, which are also ubiquitous via iPhones and not in Yubikey.
I'm in the mining space, one thing that I can tell you is that software in the mining and oil/gas space can be horribly archaic, poorly architecture and very poorly supported.
I'm lucky for the most part in that my company is very cutting edge and running latest windows and pushing software devs/vendors to stay as up to date as us. But support for "new" tech like Yubikey authentication is very slow to encroach in these industries.
Yeah I know Yubikey isn't new in the holistic sense. but its a lot "newer" than a lot of the tech in these industries.
They help against phishing and password theft, as it requires a physical item in addition to the password. Doesn't matter much if someone downloads a Word doc with macros and runs it.
two factor authentication can be enabled multiple ways - through dedicated hardware like Yubikey or via software via things like Google Authenticator or proprietary solutions like SecureAuth (around WAY before Google Auth).
What 2 factor is used isn't important - what's important that you use some sort of 2nd factor (your password - something you know as being the first factor) that's limited to one physical device (something you have) that is not easily moveable. And NO, SMS is NOT 2 factor since you can bump a cell phone number from one phone to another pretty trivially with most cell phone companies (unfortunately). SMS is about on par with emailing you a code for secondary authentication. A barrier for a remote hacker who doesn't have physical access to you or your stuff, but not that high of a barrier.
>...but agencies aren’t provided with the necessary appropriations to have the work performed, hence the mandate is left unfulfilled...
This is ultimately, IMO, why many 'cybersecurity' risks manifest. The work to secure things isn't valued and is always undervalued or even unfunded. It takes more time, effort and skill to make more secure software. In addition, adding security layers makes many processes less efficient and more time consuming. Working in secure environments means productivity has to take a hit.
These costs can't continually be passed to software development without appropriate resource allocations. Software already runs 'lean' in most ecosystems. If you want to add more requirements, you need to pay for it because it costs more and tends to add ongoing costs to develop and use more secure software systems.
You really need the software version of a building or fire code so that no individual company can gain a competitive advantage by skipping out on security.
Exactly this. I know some people dread it but I cant wait for the software industry to mature to the point of having ethics boards, building codes, bodies that license professionals, multiple tiers of professionals (think of the nurse vs pa vs physician analog), etc. It’s expensive to build real good software and too often well meaning devs are left trying to cobble together a half finished product on unrealistic timelines overworking themselves to add all the building code in secret because their management didn't understand why it’s necessary. Not to mention the inconsistency in hiring and level of ability you have to wade through when everyone is an “engineer”.
Complete and utter hell. What drives the explosive growth of the industry now is the lack of pointless restriction. Wages are high because more people are allowed to compete as opposed to just those who were lucky or privileged enough to be in the right life circumstance to get some credential.
Tools and processes can be improved, but not by fiat. There is no board of microbial directors guiding cell planning.
I feel I have no succinctly adequate description for you now, but take building codes and healthcare: many laws exist to "protect" people but often what benefits people most directly is more money. Forcing them to spend that money on supporting multiple levels of hierarchy takes their life from them in a very real way (c.f. housing shortage and healthcare shortage).
The explosion is over. Software is ubiquitous. I’d like to treat software engineering like a real engineering profession. I didn't say prevent the volume of people from participating. Rather, incorporate a credentialing system so that maybe your fresh grad or boot-camper isn’t working 18hr days on standing up core infrastructure without the experience to push back against manipulative management or ridiculous client timelines. Prioritizing security will only happen if all engineers require it (otherwise you’d be undercut by someone who doesn't care). That’s why you need governance. We all have to be on the same page about security and reliability and it just happens that not everyone is equally qualified to do security or has the edge to build really reliable systems. And sometimes engineers just need to be protected from themselves even if they are experienced and qualified. It’s easy to say you’ll do that later when there aren’t immediate consequences for not. And we all know how often “later” becomes “never”.
Nothing I’ve described prevents innovation. You can still build your sloppy app really fast and throw it at the wall because it’s probably not doing anything important. But if you’re getting hired commissioned whatever to build real software that keeps industrial systems running or puts things in space or handles personal information or blasts messages at millions of people all at once, etc., there should be a framework to help you communicate costs to people.
Building code exists to prevent houses from falling over. Healthcare credentials exist to prevent damage to human life. As much as I hate the fact that we depend so much on oil, the industry is fundamentally important and the software that operates it should be secure because people run the gas stations when it’s not. You cant really make the argument that the oil industry only happened because some disruptive college kids got together in their garage and had ambition in the face of an unregulated dreamscape. And it’s not like the oil industry cant afford to pay for security.
>I’d like to treat software engineering like a real engineering profession.
I tend to lean libertarian/free market more than anything else, but yes - it's well past time for computer "science" to be more than a cheap label. No one likes to have insurance so we mandate minimums are purchased so affected people have a chance of being made whole. Same thing with software. Why is a critical gas pipeline down for weeks after a ransomware attack? Why wasn't the company able to enact their disaster recovery plan, plow over their network and restore from backup?
Probably because they have backups that have never been tested, systems that aren't even being backed up and if they have a disaster recovery play it probably exists as pure fiction and not as something that is routinely tested and updated to keep up with the state of their operating environment.
I would say the above is business management 101 but to most organizations it's burdensome overhead they don't need to worry about because nothing could ever happen to them, right?
I have little issue with insurance. Smart businesses ask for it anyway, and you can buy insurance for basically anything, including failure to deliver. The problem arises when you mandate credentialism through legislation.
Buddy, most things don't get hacked. It's true they don't get hacked mostly by virtue of nobody caring but assuming the market is efficient then the opportunity cost of these bad things happening must be very low.
In this case a disaster recovery plan existed and was used. They did their job by preparing unknown unknowns, get off your high horse.
> Building code exists to prevent houses from falling over. Healthcare credentials exist to prevent damage to human life.
I never took exception to this, the issue is that e.g. building codes in many areas have become highly specific and overdone to the point of preventing investment in housing.
What slapped me in the face with this was a YTer who was going into the family business of building code inspection. You need an engineering degree yet exercise no critical thinking over what is actually happening, and the father seemed to relish in how much he was costing people when telling them to fix basically cosmetic issues.
There's issues in healthcare, like doctors being overtrained and artificially scarce.
Buddy? (Not sure what your comment about a high horse is about, I made no claims that I am somehow specially qualified and would end up on top or something? I have simply seen what happens many times over when push comes to shove with respect to securing systems. Inevitably they ship because you can always find an engineer and PM who are intensely interested in product and don’t care about edge cases and security. Even on supposed security products!)
And most doctors don't fuck up and most houses don't fall over. It’s about the consequences when things do go south. That’s my whole point. I didn't say every little product itch you want to scratch needs to be compliant. Just that at a certain threshold, it does, and as an industry we should be capable of promoting or surfacing the people who can do those jobs and insulating ourselves as professionals from the effects of cheaper or quicker uncertified labor that claims it can.
It also wouldn't be “free”. With increased levels of certification or whatever would come increased liability requirements. Our industry has a problem capturing liability so nobody has to take responsibility when something like leftpad happens. It’s just another day in the life of “software”.
Just because one organization (the ama) is fucked up and keeps physicians artificially scares doesn't mean all other instances/attempts are doomed to the same fate.
Anyway.. I really don't think we’re that far apart and don't quite understand your antagonistic edge. I hope I didn't offend you.
The rates of IT Security consultants with Fed Gov't experience just increased by 100% overnight - for at least the next 60 days of the date of this order.
There's lots of common sense foundational stuff in there that if more companies did I would be less likely watching people get in fistfights at a nearby gas station :p
I can't find a link to it but Microsoft also announced they are making all of their cloud offerings FedRAMP Moderate compliant - basically adopting all the moderate 800-171 controls for the parts of 800-171 that apply to their cloud offerings.
It wouldn't hurt people to read through and think about the different parts of 800-171 and what they could easily adopt into the workflows they are involved in.
I don't think this is correct usage of the term "unfunded mandate". "Unfunded mandate" means when the federal government requires a separate entity (e.g. state, municipality, company) to perform a function without reimbursement or appropriation of funds. Executive orders (that don't rely on special powers granted to the executive by legislation like emergency powers) only apply to the federal agencies. "Unfunded mandate" cannot describe mandates the federal government places on itself.
edit:
You're right, what's required is a funded mandate. Gas is too foundational to the function of the country to leave to a private enterprise that isn't (and shouldn't be) responsible for a guarantee to provide their service. There should be federal intervention by buying a stake in the industry (though maybe in the case of the petroleum industry the federal government already pays enough but I say that from meme knowledge not actual knowledge).
I am open to more appropriate terminology to indicate an executive order is set forth with no funding provided alongside.
For these orders, the President’s Budget should include requests for Congress to provide appropriations for the work that will need to be performed (the delta between current state and expected state).
Within various parts of the US executive branch, presidential executive orders that say "do X" without funding to match are also called "unfunded mandates" - at least sometimes. I certainly heard the phrase used that way. I don't know if that's an abuse of the term or not.
It is true that it's different when it's applied within the executive branch. The US executive branch has to obey the laws, but it does have some discretion on how it prioritizes the work. So, for example, it could prioritize some of these activities by de-prioritizing (and thus reducing the funds) of other activities. That's hard, because it's often harder to stop something you're already doing (there are often existing groups in place who will be unhappy if you stop it). But it's officially possible, and if it's important enough, then it can be done. The US government's executive branch bureaucracy cares very much about what the president orders, though when there's limited funding the work must be prioritized.
Some of these steps, such as creating new FAR clauses & adding them to contracts, don't require new money (though their results may impose new costs later). But it's fair to say that others will cause costs, and they'll need to go to Congress to try to get that funding.
But that's not insane. The attacks on SolarWinds and friends have been estimated to cost $100 billion in damage to the USG (that's probably too high, but it shows real harm). The latest Colonial Pipeline ransomware, which threatens the US east coast, is making the news. Congress lives on the US east coast. I can easily see that money flowing from Congress.
Agreed, and I see your point, I just see it as the EO doesn't have the authority to (and thus doesn't actually) require such things from private companies and not that it requires something without funding.
In terms of what should be done, I'm not sure whether companies should be expected recoup their costs by raising prices, reducing margins or expect federal funding. My gut reaction is that this level of security should be a cost of doing business and not require federal funds.
Part of why this seems to have teeth though is procurement policy. I was actually kind of excited reading this, seems to do more with more power than I would have guessed.
Though I guess companies probably will jack up their bids to cover any extra costs, even if they should have been doing basic security from the get, so that might be an 'unfunded mandate' in a sense
Any executive order is necessarily an unfunded mandate, because it's issued by the executive without involvement of Congress, which alone can pass actual laws that fund things:
> No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law…
— U.S. Constitution, Article I, section 9, clause 7
There is a discretionary budget allocated to the executive that can be used for funding EOs, although it's not huge when looked at relative to the budget - $800m a year is what's in my head but I could be wrong.
Yes, I suppose, but given the scope of executive orders of late, that funding is not that significant. (Imagine saying that about almost a billion dollars!)
39 comments
[ 3.7 ms ] story [ 90.0 ms ] threadhttps://www.whitehouse.gov/briefing-room/statements-releases...
I'm lucky for the most part in that my company is very cutting edge and running latest windows and pushing software devs/vendors to stay as up to date as us. But support for "new" tech like Yubikey authentication is very slow to encroach in these industries. Yeah I know Yubikey isn't new in the holistic sense. but its a lot "newer" than a lot of the tech in these industries.
What 2 factor is used isn't important - what's important that you use some sort of 2nd factor (your password - something you know as being the first factor) that's limited to one physical device (something you have) that is not easily moveable. And NO, SMS is NOT 2 factor since you can bump a cell phone number from one phone to another pretty trivially with most cell phone companies (unfortunately). SMS is about on par with emailing you a code for secondary authentication. A barrier for a remote hacker who doesn't have physical access to you or your stuff, but not that high of a barrier.
This is ultimately, IMO, why many 'cybersecurity' risks manifest. The work to secure things isn't valued and is always undervalued or even unfunded. It takes more time, effort and skill to make more secure software. In addition, adding security layers makes many processes less efficient and more time consuming. Working in secure environments means productivity has to take a hit.
These costs can't continually be passed to software development without appropriate resource allocations. Software already runs 'lean' in most ecosystems. If you want to add more requirements, you need to pay for it because it costs more and tends to add ongoing costs to develop and use more secure software systems.
Tools and processes can be improved, but not by fiat. There is no board of microbial directors guiding cell planning.
I feel I have no succinctly adequate description for you now, but take building codes and healthcare: many laws exist to "protect" people but often what benefits people most directly is more money. Forcing them to spend that money on supporting multiple levels of hierarchy takes their life from them in a very real way (c.f. housing shortage and healthcare shortage).
The explosion is over. Software is ubiquitous. I’d like to treat software engineering like a real engineering profession. I didn't say prevent the volume of people from participating. Rather, incorporate a credentialing system so that maybe your fresh grad or boot-camper isn’t working 18hr days on standing up core infrastructure without the experience to push back against manipulative management or ridiculous client timelines. Prioritizing security will only happen if all engineers require it (otherwise you’d be undercut by someone who doesn't care). That’s why you need governance. We all have to be on the same page about security and reliability and it just happens that not everyone is equally qualified to do security or has the edge to build really reliable systems. And sometimes engineers just need to be protected from themselves even if they are experienced and qualified. It’s easy to say you’ll do that later when there aren’t immediate consequences for not. And we all know how often “later” becomes “never”.
Nothing I’ve described prevents innovation. You can still build your sloppy app really fast and throw it at the wall because it’s probably not doing anything important. But if you’re getting hired commissioned whatever to build real software that keeps industrial systems running or puts things in space or handles personal information or blasts messages at millions of people all at once, etc., there should be a framework to help you communicate costs to people.
Building code exists to prevent houses from falling over. Healthcare credentials exist to prevent damage to human life. As much as I hate the fact that we depend so much on oil, the industry is fundamentally important and the software that operates it should be secure because people run the gas stations when it’s not. You cant really make the argument that the oil industry only happened because some disruptive college kids got together in their garage and had ambition in the face of an unregulated dreamscape. And it’s not like the oil industry cant afford to pay for security.
I tend to lean libertarian/free market more than anything else, but yes - it's well past time for computer "science" to be more than a cheap label. No one likes to have insurance so we mandate minimums are purchased so affected people have a chance of being made whole. Same thing with software. Why is a critical gas pipeline down for weeks after a ransomware attack? Why wasn't the company able to enact their disaster recovery plan, plow over their network and restore from backup?
Probably because they have backups that have never been tested, systems that aren't even being backed up and if they have a disaster recovery play it probably exists as pure fiction and not as something that is routinely tested and updated to keep up with the state of their operating environment.
I would say the above is business management 101 but to most organizations it's burdensome overhead they don't need to worry about because nothing could ever happen to them, right?
In this case a disaster recovery plan existed and was used. They did their job by preparing unknown unknowns, get off your high horse.
> Building code exists to prevent houses from falling over. Healthcare credentials exist to prevent damage to human life.
I never took exception to this, the issue is that e.g. building codes in many areas have become highly specific and overdone to the point of preventing investment in housing.
What slapped me in the face with this was a YTer who was going into the family business of building code inspection. You need an engineering degree yet exercise no critical thinking over what is actually happening, and the father seemed to relish in how much he was costing people when telling them to fix basically cosmetic issues.
There's issues in healthcare, like doctors being overtrained and artificially scarce.
And most doctors don't fuck up and most houses don't fall over. It’s about the consequences when things do go south. That’s my whole point. I didn't say every little product itch you want to scratch needs to be compliant. Just that at a certain threshold, it does, and as an industry we should be capable of promoting or surfacing the people who can do those jobs and insulating ourselves as professionals from the effects of cheaper or quicker uncertified labor that claims it can.
It also wouldn't be “free”. With increased levels of certification or whatever would come increased liability requirements. Our industry has a problem capturing liability so nobody has to take responsibility when something like leftpad happens. It’s just another day in the life of “software”.
Just because one organization (the ama) is fucked up and keeps physicians artificially scares doesn't mean all other instances/attempts are doomed to the same fate.
Anyway.. I really don't think we’re that far apart and don't quite understand your antagonistic edge. I hope I didn't offend you.
There's lots of common sense foundational stuff in there that if more companies did I would be less likely watching people get in fistfights at a nearby gas station :p
I can't find a link to it but Microsoft also announced they are making all of their cloud offerings FedRAMP Moderate compliant - basically adopting all the moderate 800-171 controls for the parts of 800-171 that apply to their cloud offerings.
It wouldn't hurt people to read through and think about the different parts of 800-171 and what they could easily adopt into the workflows they are involved in.
FYI - Azure commercial is FedRAMP high and I believe O365 Commercial is FedRAMP moderate now. Everything else is equivalent or over and above that.
edit: You're right, what's required is a funded mandate. Gas is too foundational to the function of the country to leave to a private enterprise that isn't (and shouldn't be) responsible for a guarantee to provide their service. There should be federal intervention by buying a stake in the industry (though maybe in the case of the petroleum industry the federal government already pays enough but I say that from meme knowledge not actual knowledge).
For these orders, the President’s Budget should include requests for Congress to provide appropriations for the work that will need to be performed (the delta between current state and expected state).
It is true that it's different when it's applied within the executive branch. The US executive branch has to obey the laws, but it does have some discretion on how it prioritizes the work. So, for example, it could prioritize some of these activities by de-prioritizing (and thus reducing the funds) of other activities. That's hard, because it's often harder to stop something you're already doing (there are often existing groups in place who will be unhappy if you stop it). But it's officially possible, and if it's important enough, then it can be done. The US government's executive branch bureaucracy cares very much about what the president orders, though when there's limited funding the work must be prioritized.
Some of these steps, such as creating new FAR clauses & adding them to contracts, don't require new money (though their results may impose new costs later). But it's fair to say that others will cause costs, and they'll need to go to Congress to try to get that funding.
But that's not insane. The attacks on SolarWinds and friends have been estimated to cost $100 billion in damage to the USG (that's probably too high, but it shows real harm). The latest Colonial Pipeline ransomware, which threatens the US east coast, is making the news. Congress lives on the US east coast. I can easily see that money flowing from Congress.
In terms of what should be done, I'm not sure whether companies should be expected recoup their costs by raising prices, reducing margins or expect federal funding. My gut reaction is that this level of security should be a cost of doing business and not require federal funds.
Though I guess companies probably will jack up their bids to cover any extra costs, even if they should have been doing basic security from the get, so that might be an 'unfunded mandate' in a sense
> No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law…
— U.S. Constitution, Article I, section 9, clause 7
https://www.linuxfoundation.org/en/blog/how-lf-communities-e...