A winning streak of hitting deadlines under President Joe Biden’s ambitious May cybersecurity executive order is widely expected to end Monday, affecting changes that administration officials have touted most: implementing multifactor authentication and encryption at all civilian federal agencies.
Multifactor authentication — which requires users to access websites and systems by entering a password and also using a second device to verify their identity — could prevent 80% to 90% of all successful cyberattacks, Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger said in September. Encryption is another of the handful of technologies the administration has emphasized that “dramatically reduce the risk of attack,” Neuberger has said.
The executive order’s goal was to set “aggressive but achievable” deadlines, officials have repeatedly said, and “We’ve met each timeline along the way,” Neuberger said in October.
As important as multifactor authentication (MFA) and encryption are, however, current and former government officials say those processes are also difficult to implement through the federal government. Other single-agency deadlines in the executive order that have passed thus far have focused more on writing policies and strategies than widely deploying advanced technologies.
Officials have been preparing for agencies to fail to meet the deadline to install the security technologies, which have become more common throughout the private sector in recent years. Federal organizations in the coming days are expected to notify the Office of Management and Budget, the White House national security adviser and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency about where they still lack the necessary encryption and authentication technologies — updates that could stave off threats like phishing, data theft and other breaches.
“Do I think that everyone will get there by Monday? Probably not,” said Michael Daniel, a former White House cybersecurity coordinator and OMB official.
Jeanette Manfra, a former CISA assistant secretary for cybersecurity and communications, said it would be “challenging” to meet the deadline across 100% of agencies.
While the administration wrote the executive order explicitly in response to the SolarWinds cyber-espionage campaign, in which suspected Russian spies breached nine federal agencies, effective MFA implementation still likely would not have been enough to protect victims. In one case, attackers subverted MFA entirely, according to the security firm Volexity.
But by setting the deadline at all, the White House has begun pushing agencies to act, Daniel and other say. The executive order requires agencies that don’t meet the deadline to explain why in writing, giving officials a blueprint on the challenges still to overcome. And the officials in charge of the order’s deadlines have been working with agencies on emphasizing high-priority users, and preparing for what happens with agencies that don’t meet the deadline.
A tall order
MFA is an especially effective defense against hacks that rely on passwords, be they stolen via phishing or guessed via brute-force intrusions. In order to subvert MFA, hackers would need access to a second device, too, like a phone that receives the authentication code.
The task of implementing MFA and encryption is also complicated because agencies have so many information systems to protect. The Pentagon, for instance, was required to implement different forms of MFA for both SIPRNet, a system used to transmit classified information, and its unclassified counterpart NIPRNet.
“There are just so many that some organizations are going to look and say ‘Okay, we might have 25 information systems that we’re considering this work on,'” said Henry Young, policy director at the Business Software Alliance who formerly worked on cybersecurity and IT issues at the Commerce Department. “We’re going have to prioritize that work, and move, for example, multifactor authentication on our higher value assets sooner, and, and some we’re going to have to move later.”
There are difficulties in trying to make more sophisticated technologies work with some of the federal government’s older systems, juggling the need to implement the tech with keeping vital systems operating and wrestling with how systems interconnect with one another, said Daniel, who’s now president and CEO of the Cyber Threat Alliance.
Less clear is to what degree agencies will have to go through the federal procurement process, and how much of their budget they’ll need to allocate to authentication. While hardware tokens that offer one way of providing a second authentication factor are relatively cheap individually, retailing for as little as $20, the collective cost could add up significantly for just MFA alone.
Manfra, now global director for risk and compliance at Google, said at least some agencies will have an advantage meeting the encryption and MFA deadline because they “have been working to adopt these solutions for some time. So I think they’re very strong out of the gate.”
Guiding and responding
A draft strategy that OMB produced as part of the executive order offers some guidance to agencies on the kinds of encryption and MFA tech they should use and where they should integrate it.
“OMB has partnered closely with agencies in the development of metrics, including MFA and encryption, and will provide clear policy direction as a focal point in our zero trust strategy,” an OMB official told CyberScoop.
In a statement to CyberScoop, Eric Goldstein, executive associate director of CISA’s cybersecurity division, said “we are working with federal civilian agencies to advance deployment of MFA, particularly for remote access and privileged users.”
Daniel and Young said that the executive order’s require written rationales for failing to meet the deadline will serve as a key incentive for pressuring agencies to act. Agencies won’t be able to get away with simplistic explanations, Daniel said, based on his experience working with the White House. Proud agency officials will be loathe to write explanations at all, since it’s embarrassing confirmation of missing the mark, Young said.
Further, the written rationales will help determine what has to happen to get agencies up to speed.
“The reports referenced are due from agency heads on November 8, at which time we will begin a trend analysis of the common themes faced by agencies and develop appropriate next steps based on that analysis,” the OMB official said.
The White House has been especially eager for updates on how the MFA and encryption deadlines are coming along, Jeff Greene, chief of cyber response and policy at the National Security Council.
Implementing the executive order is “like turning an aircraft carrier at sea,” he said Tuesday. “The hard part is overcoming that inertia.”