Getty Images / Yuichiro Chino

The Automation Gap in Biden’s Cybersecurity Order

Network defense in the 21st century requires AI-powered penetration testing.

The Biden administration’s cybersecurity executive order contains 37 pages of important new guidelines and requirements that will help protect our networks—but it remains silent on the critical issue of how automated testing must become a key part of that defense. 

The order requires the federal government to accelerate migration to the cloud, adopt zero-trust architecture, and implement multi-factor authentication. It also demands supply chain vendors bake security “by design” into their software development process, and expects private-sector vendors to increase communication and collaboration with government agencies in order to harden cyber defenses.

All well and good. And to be sure, moving to the cloud can improve network security. Cloud service providers invest heavily in security innovation and provide a more homogenous and easily-secured footprint compared to on-premise infrastructure, much of it hobbled by years of security debt. Ultimately, however, security comes back to people, and people will always be prone to make mistakes.

Given the resources that America’s adversaries are pouring into their campaigns to find new ways to penetrate U.S. systems, a simple checklist of security best-practices will always leave us one step behind. We must think in terms of cyber readiness and become proactive, not just reactive—which means doing more than checking compliance boxes; we must also do our best to attack and defeat our own network defenses. It is the only way to keep ahead of adversaries who are doing the same. And we must do so continuously, matching the cadence of adversaries who, by one measure, are sending 36 million malicious emails a day—to the Defense Department alone! 

We know that penetration tests and red team exercises are the gold standard of cyber defense. But these are expensive—far too expensive to keep a continuous eye on every corner of the U.S. military’s networks, let alone the rest of America’s systems. Machine-based automation is the sole path to reaching the scale required. Artificial intelligence and machine learning can automate and scale security testing methods to the point where they can take on much of the work of cyber defense. Automation can help ensure that software not only enters production in a secure state but remains that way over time. Only via automation can authorizing officials ensure that inadvertent changes to systems—so-called configuration drift—do not open glaring chinks in the armor. Finally by continually probing the changing application landscape, AI can help ensure defenses remain effective over time.

AI is already being used for defensive cyber operations to automate monitoring, detection, and response to actual attempted breaches. Offensive penetration testing is more technically challenging, but progress is already being made on developing AI tools that, for example, can carry out better network reconnaissance, that can operate with enhanced stealth to avoid detection, or that are more efficient in cracking passwords.  

The costs of building AI testing programs for our own systems are not trivial—advanced password cracking to test the integrity of our network security, for example, requires significant computational power—but those costs will come down as technology progresses and the overall cost of compute falls. The real barrier to their adoption is conceptual: persuading budget appropriators that paying for prevention now is better and cheaper than paying for the cure later.

If the executive order is to be a watershed in this nation’s cyber defenses, rather than a missed opportunity at a critical moment, now is the time to embrace the power of AI to support our smartest minds in out-thinking even our most determined adversaries.

Kevin Tonkin leads product management for Rebellion Defense’s cyber readiness products. Before joining Rebellion, Kevin led product and engineering at Coalfire, a global cybersecurity firm.