With the US reeling from another high-profile cyber attack – this time crippling fuel supply across multiple states leading to panic-buying induced petrol shortages – president Joe Biden has signed a new Executive Order to harden America’s cyber defences, with a big emphasis on public-private partnerships and information sharing.
The White House said recent cyber incidents such as the SolarWinds and Microsoft Exchange Server attacks, and now the Colonial Pipeline ransomware incident, had been “a sobering reminder” that both public and private sector organisations are facing off against sophisticated malicious activity, both from financially motivated criminals and hostile nation-states.
It said such incidents shared commonalities such as insufficient cyber defences that left both public and private sector organisations vulnerable, and that the Executive Order would take a significant step towards changing that, improving cross-sector information sharing on cyber issues and strengthening the US’ ability to conduct appropriate incident response.
A spokesperson for the administration said: “Today’s Executive Order makes a down payment towards modernising our cyber defences and safeguarding many of the services on which we rely.
“It reflects a fundamental shift in our mindset – from incident response to prevention, from talking about security to doing security – setting aggressive but achievable goals to make the federal government a leader in cyber security, and improve software security and incident response.”
Described as “the first of many ambitious steps” the Biden administration will take measures to modernise cyber defences, the Executive Order recognises that much of the US’ critical national infrastructure (CNI) is held privately, and that private companies make their own decisions on cyber – as the Colonial Pipeline incident has demonstrated.
In light of this, the US now plans to do more to break down the barriers that are stopping the government and private sectors from collaborating in areas such as threat information sharing by ensuring the IT services sector is better able to share information with the government – indeed, it will in future, in some circumstances, be legally required to.
The White House said IT providers were too often hesitant (or unable) to share information about compromises, often for contractual reasons, but also out of hesitance to embarrass themselves or their customers. By enacting measures to change this, the administration believes it will be able to defend government bodies more effectively and improve the wider cyber security of the US as a whole.
“We encourage private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cyber security investments with the goal of minimising future incidents,” said the White House.
The Executive Order – the full text of which can be read here – also provides for the modernisation and implementation of stronger cyber security standards within the US government, accelerating moves towards secure cloud services and zero-trust architectures, alongside mandatory multifactor authentication (MFA) and encryption.
It further sets out to improve supply chain security by tightening standards for the development of software sold into the government, requiring developers to maintain visibility into their software and make security data available, and sets up a process to develop new approaches to security development practice. It also establishes a star rating programme for secure software, akin to restaurant food hygiene standards.
Finally, the Executive Order provides for the establishment of a Cyber Security Safety Review Board, co-chaired by public and private sector leads for incident response and investigation, modelled on the US’ National Transportation Safety Board that probes plane crashes; creates a standardised incident response playbook; establishes a government-wide endpoint detection and response (EDR) system; and mandates improved security event logging.
Reaction to the Executive Order from the cyber security community has been positive so far, with many experts enthused that the US government is taking the issue so seriously on Biden’s watch, and others taking to Twitter to share their cyber shopping lists.
Accenture Security senior managing director Kelly Bissell commented: “We applaud the president for issuing the most significant cyber security policy directive we have seen. Today, with this Executive Order, we begin on a new path – one where governments and businesses can make faster, more informed decisions around the emerging threats, become more consistent, buy more secure products – and be more cyber resilient.
“Tomorrow the hard work begins. We are committed to bring our thousands of critical infrastructure clients together to shape the details to ensure that the vision for a more secure America becomes a reality.”
Tenable CEO Amit Yoran added: “Colonial Pipeline and SolarWinds are a two-decades-long cyber reckoning that hasn’t yet reached its crescendo. The community has warned governments, organisations and consumers of the rising level of exposure ad nauseam. The wake up calls will continue to get stronger until these issues are addressed on par with how they can impact our society.
“The question on everyone’s mind is whether the EO will stop the next SolarWinds or Colonial Pipeline attack. Make no mistake – no one policy, government initiative or technology can do that. But this is a great start.”
Andrew Rubin, Illumio co-founder and CEO, said: “Cyber complacency has been plaguing the federal system for decades, as recently evidenced by the catastrophic breach involving SolarWinds. This new Executive Order acknowledges that we fundamentally need to change the way we think about cyber resiliency.
“Globally, we spent $173bn on cyber security last year, yet in the past year alone we’ve seen more catastrophic breaches than at any other time in history. Despite our failing strategy and terrible outcomes, the US has continued to take the same approach to federal cyber security as we did 20 years ago.
“But today, the Biden Administration changed that by unfurling a sweeping Executive Order finally acknowledging the failings of an outdated federal cyber security model, and laying bare the first iteration of a new security design founded in zero-trust,” said Rubin.
“Cyber complacency isn’t just an American problem, or a federal problem, or a policy problem – it’s a global problem. That’s why I welcome this Executive Order with open arms. It’s a call to action to the world that we need to change the way we protect ourselves. And with this new Executive Order – this new zero-trust blueprint – we’re on the path to a more secure future.”
