In the space of a few months, the United States was the victim of three major attacks. Suspected Russian hackers have relied on the SolarWinds publisher’s update infrastructure to infect thousands of organizations and hack into federal agencies. Then, suspected Chinese hackers exploited loopholes in Microsoft Exchange to steal data from American companies. Finally, cybercriminals have launched ransomware on Colonial Pipeline, a major pipeline operator, causing chaos in the supply of hydrocarbons in the eastern and southern United States.
To ward off such attacks in the future, President Biden has just signed an Executive Order, the aim of which is to increase the level of cybersecurity of federal agencies.
From a technical standpoint, they will thus have to adopt multifactor authentication, generalize data encryption and deploy threat detection probes on end stations. They will also have to plan the implementation of a “zero trust” architecture, which is diametrically opposed to the classic perimeter model and which calls into question the implicit trust granted to users and internal services. It is a profound change in information systems that risks occupying them for years to come.
Also to discover in video:
–
In addition, this decree seeks to intensify the exchange of information between the various stakeholders. Those who provide software or services to federal agencies will be forced to report security incidents within three days.
Publishers will also have to be more transparent about the way they develop their software, so that we can know the origin of the different modules and judge their quality.
“Today, we do not know which products are developed in a secure way (…) We trust suppliers blindly, because we have no way of measuring this trust”, underlines Anne Neuberger, national security adviser in the White House, on the occasion of the RSA 2021 conference.
This is why, in the same way, the decree provides for the establishment of a quality label for connected objects.
To be more efficient, the exchange of information on threats is also decompartmentalized. Here again, service providers will be called upon to feed this flow of information. As for incident management, it will be standardized across all federal agencies on the basis of NIST standards.
“This will allow everyone to speak the same language. And if necessary, incident response experts can intervene everywhere in the same way. It’s like with firefighters, they all have the same procedures ”, explains an expert in cyber resilience within a CAC40 company, who preferred to remain anonymous.
Finally, the incidents will be scrutinized by a new committee called Cybersecurity Safety Review Board which will bring together actors of public power – CISA, Justice, Defense, NSA, FBI, OMB – and private companies. The purpose of this committee will be to write feedbacks to avoid the same mistakes being repeated over and over again.
A different approach in France and in Europe
This new text will certainly help improve the level of security in the United States. However, it is difficult to compare this new regulation with that in force in France and in Europe, where the structures and organizations are very different.
“A country’s cybersecurity posture depends a lot on its size, culture, organization and exposure to threats”, emphasizes our expert in cyber resilience.
France, for example, has adopted a very centralized approach where critical infrastructures are identified and regulated by the State in the form of operator of vital importance (OIV), a notion introduced with the military programming law of 2013.
These are 200 to 300 public or private organizations that must comply with fairly draconian specifications. In particular, they are obliged to use products and services certified by ANSSI.
A second grid was added in 2016 with the European NIS directive, which seeks to identify essential service operators (OSE) in each member country.
They would be between 700 in 900 in France and must, there again, respect all in all constraints and rules. At first glance, this all seems more cohesive and better constructed than the US regulations. But that doesn’t necessarily mean it’s more efficient. Only the future will tell us.
–