Biden Signs Sweeping Executive Order on Cybersecurity

3rd Party Risk Management
,
Application Security
,
Critical Infrastructure Security

Order Emphasizes Partnerships, IT Modernization and Supply Chain Security

Biden Signs Sweeping Executive Order on Cybersecurity
President Joe Biden

President Joe Biden signed an extensive executive order Wednesday detailing the government’s plan to increase cybersecurity protection across the public and private sectors, as well as securing the nation’s digital infrastructure against that type of attack that targeted SolarWinds and its customers.

See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive


The Executive Order on Improving the Nation’s Cybersecurity covers a myriad of topics, including improving the ability for the public and private sector to share intelligence; modernizing the federal government’s approach to cybersecurity; and enhancing supply chain security.

The executive order, which had been expected for weeks, is part of the Biden Administration response to a series of cybersecurity incidents that have happened over the last several months, including the supply chain attack against SolarWinds, the attacks that targeted vulnerabilities in both Microsoft Exchange and Pulse Connect Secure VPNs and, as of this week, the ransomware attack that hit Colonial Pipeline (see: Colonial Restarts Operations Following Ransomware Attack).

Besides the executive order, the White House has also responded to both the SolarWinds attack, as well as interference in the 2020 U.S. election, by slapping sanctions on Russia, its intelligence services as well as companies and individuals that the administration believes assisted during these incidents (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).

By signing the executive order on Wednesday, the Biden Administration acknowledged the U.S. needs sweeping changes to how it approaches cybersecurity and protections the nation’s infrastructure.

“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the executive order states.


In the run-up to signing the executive order, the Biden administration, as well as Congress, allocated $1 billion toward improving and modernizing IT infrastructure across the federal government, which many believe will improve cybersecurity (see: IT Modernization Grants Will Prioritize Cybersecurity).

“The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order,” the executive order states.


Eliminating Information Silos

The executive order will eliminate the current contractual barriers that prohibit federal agencies and the private sector from sharing threat intelligence and other cybersecurity-related information.

“These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on Federal Information Systems. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents,” according to the executive order.

All contract language going forward will require service providers to collect and preserve data related to any cyber incidents and share that information with its affiliated agency.

Modernization

The executive order calls for a government-wide modernization effort to adopt security best practices while maintaining privacy and civil liberties. The changes include advancing toward a zero-trust architecture as well as accelerating movement toward secure cloud services, including software-as-a-service, infrastructure-as-a-service and platform-as-a-service.

The executive order also requires centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks and investing in both technology and personnel to match these modernization goals.

The order directs all agency heads to begin moving toward these goals within 60 days and provide a progress report to the director of the Office of Management and Budget.

Tim Wade, technical director for the CTO Team at security firm Vectra and a former U.S. Air Force officer, notes that the Biden administration not only addressed security with the order, but ties to emphasize data privacy as well.

“Privacy is itself a form of security – security against the erosion of opportunities for an individual to enjoy fairness, liberty, and equality before the law and our society at large,” Wade says. “As we forge ahead towards the much needed partnership between federal and private sectors, we will do well to remember that the preservation of individual privacy is among our chief pursuits.”

Supply Chain

The executive order notes that the commercial software used by federal agencies often lacks transparency and cannot resist an attack or adequate control to prevent malicious actors from gaining access.

“There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended,” the order says.

Addressing the faults in the security supply chain is critical to understanding and preventing another attack such as the one that targeted SolarWinds, experts say.

“This executive order correctly emphasizes enhancing software supply chain security, removing barriers to threat information for government contractors, standardizing agency playbooks for incident response, and modernizing federal cybersecurity,” says Steve Grobman, CTO at the security firm McAfee.

Within 30 days of the order’s signing, the Commerce Secretary – acting through the director of National Institute of Science and Technology – must solicit input from federal agencies, the private sector and academia. The government will then use this information to develop guidelines and criteria to evaluate software security and the best practices software developers must use.

Support for Cyber

Some elected officials and private sector leaders warmly greeted the executive order, however, they note that the signing of the directive is only the start of the process required to safeguard the nation’s digital infrastructure.

“This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps,” says Sen. Mark Warner, D-Va., the chairman of the U.S. Senate Intelligence Committee.

Kelly Bissell, senior managing director of Accenture Security, notes: “Today, with this executive order, we begin on a new path – one where governments and businesses can make faster, more informed decisions around the emerging threats, become more consistent, buy more secure products – and be more cyber resilient. Tomorrow the hard work begins.”

Managing Editor Scott Ferguson contributed to this story. Detailed analysis of each of the order’s components will follow.




Source link

Leave a Reply