Biden signs much-anticipated cybersecurity executive order
The order will, among other things, mandate measures such as multifactor authentication and encryption across government agencies in as quickly as six months.
President Joe Biden on Wednesday signed his long-awaited executive order designed to confront the myriad of cybersecurity challenges facing the country -- ranging from the supply chain attack that compromised nine federal agencies to ransomware that ultimately shut down a natural gas pipeline last week.
“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” according to a White House statement on the EO.
White House officials have discussed the executive order in vague terms for several weeks but gave no clues on when exactly it would be signed. The order ended up being released as the administration continues to work with Colonial Pipeline to confront a ransomware attack that brought down a key East Coast conduit for natural gas and oil. Just hours before the signing, Energy Secretary Jennifer Granholm announced the company said it had begun restoring pipeline operations.
A senior administration official on Wednesday said the spate of high profile incidents is a “sobering reminder” about how vulnerable public and private sector entities are to cyberattacks and that the EO represents a “fundamental shift in our mindset” from incident response to prevention.
The executive order mandates several basic cybersecurity practices across the federal government such as multi-factor authentication, encryption and end point detection to be rolled out in as quickly as six months.
“The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption,” according to a White House statement.
The order also mandates contractors notify the government if their networks are breached and share specific details about the incident; recommended contract language to specify the exact requirements is due within 45 days. The administration official said the Cybersecurity and Infrastructure Security Agency will play a major role in helping flesh out what details will be required for disclosures.
Multiple lawmakers have said they are drafting legislation to a similar effect as the executive order’s mandate for breach notification. FCW reported in March the reason, experts say, that breach notification policies are not already in place in government contracts is due to contracting and policy differences among individual agencies.
The order also establishes a “Cybersecurity Safety Review Board,” similar to the National Transportation and Safety Board, a suggestion that lawmakers and industry have historically called for. Those calls were renewed by senators such as Mark Warner (D-Va.) following the supply chain attack on SolarWinds.
After the EO was published, the senator said the recent attacks highlighted what has “become increasingly obvious” over the past few years. “The United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage,” he said. “This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities.”
The administration official said this board will be stood up after each incident by the Department of Homeland Security. The DHS secretary will co-chair the board alongside a private sector leader who is knowledgeable about the relevant issues. The board’s first task will be to review and report on the hacking campaign against SolarWinds, according to the administration official.
“Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements,” according to a White House statement.
The administration is also directing the National Institute for Standards and Technology to begin developing a labeling system for Internet-of-Things devices to help consumers make smarter buying decisions, similar to a system already in place in Singapore.
Non-government organizations headed by cybersecurity experts have flooded the new administration with recommendations. A group of former government officials and industry organized by the Institute for Security and Technology in April made a variety of recommendations for how to combat ransomware. A technology trade association, ITI, also in April published a number of policy recommendations for securing information and communications technology.
“The Administration's new Cybersecurity Executive Order lays out an ambitious & achievable workplan to dramatically improve the security of US govt networks by using the power of the purse,“ Chris Krebs, the former CISA chief, tweeted on Wednesday.