How Biden's new executive order plans to prevent another SolarWinds attack
President Biden signed a sweeping executive order on Wednesday aimed at protecting federal networks, as the East Coast continues to deal with the fallout from a ransomware attack that shut down one of the nation’s largest fuel pipelines for several days.
The Biden administration has been drafting the order over the last few months, and is designed less to address an incident like the one experienced by Colonial Pipeline, a privately-owned critical infrastructure operator that is believed to have been hit by a criminal gang, than it is aimed at preventing a future SolarWinds-like incident.
The order covers a wide range of topics that have been debated by lawmakers and cybersecurity experts since the SolarWinds attack was found to have compromised several government agencies late last year, including the Treasury and Justice Departments and the Cybersecurity and Infrastructure Security Agency. These include stricter security requirements for software contractors, new encryption and authentication standards for government agencies, and the establishment of a cyber incident review board modeled after the National Transportation Safety Board.
The White House noted that addressing incidents like the attack on Colonial Pipeline would require buy-in from the private sector, which operates an estimated 80% to 90% of the nation’s critical infrastructure, and potentially new legislation from Congress. The executive order “is the first of many ambitious steps the Administration is taking to modernize national cyber defenses,” the White House said in a statement. “However, the Colonial Pipeline incident is a reminder that federal action alone is not enough.”
Here are some of the big changes introduced by the order:
A new cyber review board
The order tasks the Secretary of Homeland Security with establishing the Cyber Safety Review Board, which will review and assess cybersecurity incidents in the same way that the NTSB oversees aviation accidents, highway crashes, and other transportation-related incidents.
The board will have both public and private sector members, including representatives from the Department of Defense the Department of Justice, CISA, the National Security Agency, and the FBI. Representatives from private-sector cybersecurity and software suppliers will be chosen by the Secretary of Homeland Security. Additionally, a representative from the Office of Management and Budget will participate on the Board when an incident involves federal agencies.
The Colonial Pipeline shutdown is a good example of why we need a CyberNTSB. If a criminal group can shut down 45% of the east coast's fuel supply we all have a right to know how this happened and how it should be prevented.— Chris Wysopal (@WeldPond) May 10, 2021
Once the board completes its review of an incident, any advice, information, or recommendations for improving cybersecurity and incident response practices will be channeled to the president through Homeland Security officials, the order says.
New agency requirements
Within 60 days of the order, federal agencies are required to develop a plan to implement zero-trust architecture and update existing plans to prioritize resources for the adoption and use of cloud technology. The director of CISA will be tasked with developing and issuing documents related to recommended approaches to cloud migration and data protection.
Within 180 days of the order, federal agencies are required to adopt multi-factor authentication and encryption for data at rest and in transit “to the maximum extent consistent with Federal records laws and other applicable laws,” according to the order.
Within 60 days of the order, a number of agencies will be required to begin modernizing FedRAMP, a government-wide security assessment program, by establishing a training program to make sure agencies are effectively trained and equipped to manage FedRAMP requests, incorporate automation throughout the lifecycle of FedRamp, streamline documentation that vendors are required to complete, in addition to other changes.
Information sharing and supply chain measures
The National Institute of Standards and Technology is tasked with issuing guidelines to establish baseline security standards for the development of software sold to the government. These will include providing a purchaser a Software Bill of Materialsfor each product, employing encryption for data, and establishing multi-factor, risk-based authentication across the enterprise.
It also creates an “energy star” type of pilot program—the goal will be to label internet-connected devices so that consumers and government agencies can quickly determine whether software was developed securely.
Additionally, the executive order takes aim at removing barriers to threat information sharing between the public and private sectors, in part by requiring IT service providers to share certain breach information with the government.
“IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches,” the White House said. “Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments.”
Politicians who have been involved in crafting federal cybersecurity legislation released statements in support of the executive order on Wednesday, with most saying that it represented a good first step that Congress must add to.
This executive order is a good first step, but executive orders can only go so far. Congress will have to step up & do more to address our cyber vulnerabilities, & I look forward to working with the administration & my colleagues on both sides of the aisle to close those gaps. https://t.co/O8w1Ts9ddg— Mark Warner (@MarkWarner) May 13, 2021
Rep. Jim Langevin (D., Rhode Island), chair of the House Armed Services Subcommittee on Cybersecurity, Innovative Technologies, and Information Systems and a member of the Cyberspace Solarium Commission said, "Today's executive actions will address holes in federal network security by mandating commonsense security controls, like multi-factor authentication and encryption, that make all the difference... As the White House noted today, this Executive Order alone is not enough," adding that Congress must confirm Chris Inglis as National Cyber Director and take other additional steps.
Sen. Mark Warner (D., Virginia), chairman of the Senate Select Committee on Intelligence, said in a statement: "This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities."
Rep. Bennie Thompson (D., Mississippi), chairman of the Committee on Homeland Security, and Rep. Yvette Clarke (D., New York), chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, said in a joint statement: “If nothing else, the cyber incidents that have occured over the past six months have demonstrated that bold action is required to defend our networks today and in the future. The Executive Order signed by the President today is just that."
Adam Janofsky is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.