Cyberattacks have been around for as long as there has been a cyber infrastructure. However, a series of recent highly publicized attacks in the U.S. clearly show an escalation and expansion in the threat landscape. From the detection of the Solarwinds attack in December of 2020 by Russian hackers (according to U.S. intelligence agencies) to the hacking of Microsoft Exchange Servers by a group Microsoft has named Hafnium operating out of China, it is clear that government and private networks across the U.S. are being targeted with increasing frequency.
This past Wednesday, following a highly publicized ransomware attack on Colonial Pipeline in which they ultimately paid nearly $5 million to the Darkside cybergang, President Biden issued Executive Order No. 14028, which focuses on cybersecurity improvements at the federal level. The Biden Administration has made cybersecurity a top priority and acknowledges that the “prevention, detection, assessment, and remediation of cyber incidents is…essential to national and economic security.” The Executive Order calls for sweeping changes throughout the federal government while recognizing that “Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector.”
The Executive Order mandates a series of new cybersecurity standards and requirements primarily for federal agencies, though there are obligations for service providers. These provisions are detailed across eight sections.
- Removing Barriers to Sharing Threat Information: IT and OT service providers will have new responsibilities for collecting information about cybersecurity incidents and reporting to the agencies they support. This will be given effect via updates to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements.
- Modernizing Federal Government Cybersecurity: Each agency of the Federal Government shall accelerate movement to the cloud, adopt security best practices, consolidate and streamline data stores to allow for cybersecurity analytics, move toward Zero Trust Architecture and invest in the people and technology necessary to support a successful modernization effort.
- Enhancing Software Supply Chain Cybersecurity: The Director of NIST, in conjunction with the Federal Government, private sector, academia and other stakeholders will develop new guidelines for complying with various standards, procedures and criteria related to software development, including the provision of a Software Bill of Materials (SBOM) to each purchaser directly or publicly online. Two other interesting provisions in this Section apply to Internet of Things. First, the Secretary of Commerce, through the Director of NIST, in concert with other appropriate agencies, shall introduce pilot programs to educate the public on IoT device security. Second, the Executive Order also directs the creation of criteria for an IoT cybersecurity consumer labeling program.
- Establishing a Cyber Safety Review Board: The Secretary of Homeland Security, with the Attorney General, will set up a Cyber Safety Review Board to review and assess cybersecurity incidents, as well as provide recommendations.
- Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents: Various agencies acting in concert shall develop a standard playbook designed to coordinate efforts to identify, remediate and recover from vulnerabilities and incidents impacting Federal Civilian Executive Branch (FCEB) Information Systems.
- Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks: The Federal Government will take several measures to enhance early detection of network vulnerabilities and incidents, including the use of an Endpoint Detection and Response (EDR) initiative.
- Improving the Federal Government’s Investigative and Remediation Capabilities: The Director of the OMB, with the Secretary of Commerce and the Secretary of Homeland Security, will create policies for agencies to establish requirements regarding the creation, retention and management of event logs across systems and networks.
- National Security Systems: A National Security System is any information system used by a government agency, contractor or organization acting on behalf of an agency that contain classified information or involve intelligence activity. The Executive Order mandates that cybersecurity requirements that meet or exceed those laid out in the Executive Order be adopted for National Security Systems, with some exceptions based on the unique mission needs of a particular agency.
Christopher Krebs, the former director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, called Biden’s effort a “dramatic game changer” and expects these changes to influence cybersecurity improvements across industry sectors as well as for individual consumers. In light of the recent cyberattacks on major U.S. enterprises and government agencies, and the fact that threats come from independent cybercriminals, cybergangs and state-sponsored hackers alike, national cyber defense is of paramount importance. Though not a 100% all-encompassing solution, President Biden’s Executive Order strikes the necessary tone and takes many leaps in the right direction towards a more secure federal information ecosystem.