President Biden Issues Cybersecurity Executive Order
Measure aims to address large-scale adversarial attacks to the government and critical infrastructure.
In an effort to increase critical infrastructure cybersecurity and better protect federal networks, President Joseph Biden signed an executive order on May 12. It includes provisions to improve information sharing between industry and the U.S. government, overhaul federal cybersecurity standards, spur the further use of cloud computing and zero trust architecture, and mandate the use of multifactor authentication and encryption. Amongst other measures, the executive order establishes a Cybersecurity Safety Review Board that would dissect a significant cyber incident and make recommendations for action.
The move comes in the wake of several major cyber attacks by adversaries, including the stunning malware attack over the weekend and related shutdown of the Colonial Pipeline, which runs from Houston, Texas to Linden, New Jersey, and carries refined petroleum products, including gasoline and jet fuel, to the East Coast.
“Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” according to a statement from the White House. “This executive order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”
In a teleconference with the media yesterday evening, a senior administration official noted that the cyber incidents brought to light the “laissez-faire attitude” toward cybersecurity. “For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort and money,” the official said. “And instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let ‘waiting for the next incident to happen’ to be the status quo under which we operate.”
The executive order aims to protect federal networks through the rollout on “a tight timeline” of multifactor authentication, encryption, endpoint detection response, logging and zero-trust architecture and cloud computing. “Following the SolarWinds incident response, we were confronted by the hard truth that some of the most basic cybersecurity prevention and response measures were not systemically rolled out across federal agencies,” the senior administration official said. “So, we identified a small set of high-impact cyber defenses that, when implemented, make it harder for an adversary to compromise and operate on a hacked network.”
To remove barriers between the government and industry in regard to information sharing of cyber threats and attacks, the executive order allows—through future changes to contract language—information technology service providers to share data and in certain circumstances, requires them to release breach information.
The Cybersecurity Safety Review Board—akin to the National Transportation Safety Board that examines major airplane crashes and other transportation incidents—convened by the Secretary of Homeland Security would be led by industry and government officials from the Departments of Defense and Justice, the Cybersecurity and Infrastructure Security Agency, the NSA and the FBI, which would decipher major cyber incidents and “make concrete recommendations” to improve cybersecurity.
To advance software supply chain security and use the power of federal procurement to incentivize the market, the measure creates baseline standards for governmental software development and requires developers to provide greater visibility into their code. The senior administration official stressed that all of the recent major cyber incidents all were a result of “poor software security,” noting that “the current market development of ‘build, sell and maybe patch later’ means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure.”
For federal agencies, the policy calls for the creation of a standard guide to rely on when responding to cyber breaches and would require officials to employ a cybersecurity event log protected by cryptographic methods. In addition, the use of a government-wide endpoint detection and response system aims to improve cybersecurity.
Mirroring the successful Energy Star program—which identifies for consumers the household appliances that meet certain efficiency standards—the executive order directs the National Institute of Standards and Technology to establish an initial labeling program to identify the security capabilities of Internet of Things (IoT) consumer devices and software that was developed in a secure manner. The senior administration official offered Singapore’s cybersecurity labeling initiative for IoT connected devices as “a great starting point” for the United States.
“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” the statement acknowledged. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the federal government to drive the market to build security into all software from the ground up.”