With the US reeling from another high-profile cyber attack – this time crippling fuel supply across multiple states leading to panic-buying induced petrol shortages – president Joe Biden has signed a new Executive Order to harden America’s cyber defenses, with a big emphasis on public-private partnerships and information sharing.
The White House said recent cyber incidents such as the SolarWinds and Microsoft Exchange Server attacks, and now the Colonial Pipeline ransomware incident had been “a sobering reminder” that both public and private sector organizations are facing off against sophisticated malicious activity, both from financially motivated criminals and hostile nation-states.
It said such incidents shared commonalities, such as insufficient cyber defenses that vulnerable public and private sector organizations. The Executive Order would significantly change that, improve cross-sector information sharing on cyber issues and strengthen the US’ ability to conduct appropriate incident response.
A spokesperson for the administration said: “Today’s Executive Order makes a down payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely.
“It reflects a fundamental shift in our mindset – from incident response to prevention, from talking about security to doing security – setting aggressive but achievable goals to make the federal government a leader in cyber security, and improve software security and incident response.”
Described as “the first of many ambitious steps,” the Biden administration will take measures to modernize cyber defenses; the Executive Order recognizes that much of the US’ critical national infrastructure (CNI) is held privately and that private companies make their own decisions on cyber – as the Colonial Pipeline incident has demonstrated.
In light of this, the US now plans to break down the barriers that stop the government and private sectors from collaborating in areas such as threat information sharing by ensuring the IT services sector is better able to share information with the government. Indeed, it will, in the future, in some circumstances, be legally required to.
The White House said IT providers were too often hesitant (or unable) to share information about compromises, often for contractual reasons, but also out of hesitance to embarrass themselves or their customers. By enacting measures to change this, the administration believes it will defend government bodies more effectively and improve the more comprehensive cyber security of the US as a whole.
“We encourage private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cyber security investments to minimize future incidents,” said the White House.
The Executive Order – the full text of which can be read here – also provides for the modernization and implementation of more robust cyber security standards within the US government, accelerating moves towards secure cloud services and zero-trust architectures, alongside mandatory multifactor authentication (MFA) and encryption.
It further sets out to improve supply chain security by tightening standards for the development of software sold into the government, requiring developers to maintain visibility into their software and make security data available, and setting up a process to develop new approaches to security development practice. It also establishes a star rating program for secure software akin to restaurant food hygiene standards.
Finally, the Executive Order provides for the establishment of a Cyber Security Safety Review Board, co-chaired by public and private sector leads for incident response and investigation, modeled on the US National Transportation Safety Board that probes plane crashes; creates a standardized incident response playbook; establishes a government-wide endpoint detection and response (EDR) system, and mandates improved security event logging.
Reaction to the Executive Order from the cyber security community has been positive so far, with many experts enthused that the US government is taking the issue so seriously on Biden’s watch and others taking to Twitter to share their cyber shopping lists.
Accenture Security senior managing director Kelly Bissell commented: “We applaud the president for issuing the most significant cyber security policy directive we have seen. Today, with this Executive Order, we begin on a new path – one where governments and businesses can make faster, more informed decisions around the emerging threats, become more consistent, buy more secure products – and be more cyber resilient.
“Tomorrow, the hard work begins. We are committed to bringing our thousands of critical infrastructure clients together to shape the details to ensure that the vision for a more secure America becomes a reality.”
Tenable CEO Amit Yoran added: “Colonial Pipeline and SolarWinds are a two-decades-long cyber reckoning that hasn’t yet reached its crescendo. The community has warned governments, organizations, and consumers of the rising level of exposure ad nauseam. The wake-up calls will continue to get stronger until these issues are addressed on par with impacting our society.
“The question on everyone’s mind is whether the EO will stop the next SolarWinds or Colonial Pipeline attack. Make no mistake – no one policy, government initiative, or technology can do that. But this is a great start.”
Andrew Rubin, Illumio co-founder, and CEO said: “Cyber complacency has been plaguing the federal system for decades, as recently evidenced by the catastrophic breach involving SolarWinds. This new Executive Order acknowledges that we fundamentally need to change the way we think about cyber resiliency.
“Globally, we spent $173bn on cyber security last year, yet in the past year alone, we’ve seen more catastrophic breaches than at any other time in history. Despite our failing strategy and terrible outcomes, the US has continued to take the same approach to federal cyber security as we did 20 years ago.
“But today, the Biden Administration changed that by unfurling a sweeping Executive Order finally acknowledging the failings of an outdated federal cyber security model, and laying bare the first iteration of a new security design founded in zero-trust,” said Rubin.
“Cyber complacency isn’t just an American problem, or a federal problem, or a policy problem – it’s a global problem. That’s why I welcome this Executive Order with open arms. It’s a call to action to the world that we need to change how we protect ourselves. And with this new Executive Order – this new zero-trust blueprint – we’re on the path to a more secure future.”