How do you think Biden’s executive order will be actioned? (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)

It’s certainly being acted upon in Federal, and that is a fair market to develop better tools and processes that many can benefit from. Realistically, there are major technology leaders that didn’t do better before this that we should all be asking why they didn’t define a more secure future.

These are also pieces that have been ongoing for a while & this brings necessary attention. DoC’s SBOM work has been great, NIST’s OSCAL has been in the works for years (and I made plenty of fun of it) and is finally breaking out, and Zero Trust (including TIC 3.0)… Building blocks, and plenty of room to improve.

Unless we have something like the software bill of materials (SBOM) there's no easy way for us to adopt Zero Trust across different systems and avenues of data consumption/use. With Zero Trust architecture, one of the biggest verticals is asset inventory management. It's not just the systems, it's the services that interact with them, the wearables and SBOM, which is actually one of the biggest elements of the supply chain. There used to be an open standard in the past, and I'm not sure how widely adopted it was, but there's no regulatory standard as far as I know. There’s no sub aspect to our regulatory body that actually enforces anything similar to the SBOM.

We carry some of these federal certifications and looking at this new executive order, I think a lot of the companies in those spaces are trying to do the right thing in these areas and strengthen controls around these expectations. At first it’s the heavily regulated industries who gravitate toward these new standards because they have to maintain certification. But then that shift starts to trickle down to supporting industries.

When I read this executive order from a policy perspective, I think, "Who the hell is going to implement this?" And: What do you aim at? Do you aim at the biggest picture possible and work backwards or do you aim at the bottom tier first? I believe you have to start with the middle ground: You work from the top down to figure out what you need and who's will be looking at that data. In my world, a multi-dimensional matrix is the best way to do it. 

I've been raising this flag about security in the electronics industry and all the industries it feeds for 3 years now, and I haven't seen much change. You can build a Zero Trust architecture, but that should start at RoadM and go through whatever filtration and rules gathering you do as an individual organization. Look at old technologies that are still useful, like Sniffers, Tumbleweed and RoadM in its current incarnation, which takes your data stream and partitions it into channels that you can then break down to get transparency at the packet level. I don't know how else you would approach this.