White House tackles outdated cyber tools for federal networks, urges industry to follow suit

US President Joe Biden took steps to modernize national cyber defenses with an executive order and encouraged the private sector to similarly pursue ambitious measures to align their cybersecurity investments with the goal of mitigating future breaches.

A laissez-faire attitude towards cybersecurity and poor software security were noted by a senior Biden administration official during a May 12 call with reporters as common threads in last year's SolarWinds incident and the recent ransomware attack on Colonial Pipeline.

Related coverage

Colonial Pipeline to deliver products to all markets by midday

US pipelines wake up to cyberthreats after Colonial shutdown exposes vulnerabilities

Spot tankers with Jones Act voyage options fail amid Colonial Pipeline restart

The SolarWinds incident allowed hackers to access computer networks used by the Department of Energy, the Federal Energy Regulatory Commission and other government and private entities, while the ransomware attack shut for five days a 5,500-mile pipeline that supplies about 45% of all the gasoline and diesel fuel consumed on the East Coast. A combination of regional shortages and panic-buying caused close to 50% or more of gas stations in North Carolina, South Carolina, Georgia and Virginia to run out of fuel, and Colonial has said "it will take several days for the product delivery supply chain to return to normal."

With a constant barrage of sophisticated, malicious attacks from nation-state adversaries and run-of-the-mill criminals, the Biden administration is embarking on a "shift in mindset from incident response to prevention, from talking about security to doing security, [and] setting aggressive but achievable goals to make the federal government a leader in cybersecurity [while improving] software security and incident response," the administration official said on a call with reporters.

Utility support

The executive order, issued late May 12,zeroes in on hardening the software supply chain to attacks, mandating cyber incident reporting for federal contractors, improving information sharing among agencies, and targeting federal dollars on security protocols believed to make systems harder to hack and data harder to use if breached. The executive order mandates these changes on a tight timeframe and brings in the private sector where it can, both to show private companies that it can be done and to help spur investment in modernized cybersecurity tools.

The White House stressed that federal action alone would not be enough as much of the country's critical infrastructure is privately owned and thus subject to private companies' determinations on cybersecurity investments.

Investor-owned utility trade group Edison Electric Institute came out in support of the president's actions and acknowledgment of the value of government-industry partnerships and information sharing to protect the country from malicious cyber actors.

"We have long maintained that grid security is a shared responsibility, and addressing dynamic threats to the energy grid requires vigilance and coordination that leverages both government and industry resources," EEI President Tom Kuhn said in a statement. "EEI and our member companies already are working closely with our government partners through the CEO-led Electricity Subsector Coordinating Council, and this EO complements this ongoing collaboration to protect America's critical energy infrastructure."

Information sharing

The executive order calls on the federal government to lead by example by adopting security best practices, such as expediting the move to secure cloud services, employing zero-trust security models and mandating deployment of multifactor authentication and encryption within 180 days. It gives the heads of federal agencies 60 days to develop or update their plans for meeting these modernized cybersecurity protocols.

The executive order also instructs the Office of Management and Budget to undergo a process to update federal acquisition regulations in order to remove contractual and other barriers federal government contractors providing IT and OT services may face when asked to share threat or incident information with government entities such as the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation.

Information and communications technology service providers working with federal agencies will be required to report any cyber incidents to the impacted agencies and to CISA. The executive order tasks the Department of Defense and others with developing procedures for disseminating those cyber incident reports promptly among agencies.

Software supply chain

Vulnerabilities exploited by adversaries in software shipped to the US "is a long-standing, well-known problem, but for too long we have kicked the can down the road," a White House fact sheet that accompanied the executive order said. "We need to use the purchasing power of the federal government to drive the market to build security into all software from the ground up."

With that in mind, the executive order seeks to put in place baseline software supply chain security standards, requiring developers of software sold to the US government to maintain greater visibility into their products and make security data public. The order sets in motion the creation of a public-private process for developing innovative solutions to securing software development, with the power of federal procurement to incentivize that market, as well as a pilot program to create an "energy star" type of label so consumers can quickly identify software that meets certain cybersecurity criteria.

Detection, incident response

Federal departments and agencies will have, within 120 days, a standardized playbook for responding to cybersecurity vulnerabilities and incidents with uniform definitions and steps for identifying and mitigating threats. The directors of CISA and the National Security Agency will annually review and update the playbook. The White House intends for the playbook to also serve as a template for the private sector's response efforts.

The executive order also enables a government-wide endpoint detection and response system and improved information sharing within the federal government to improve detection of malicious cyber activity on federal networks. And it imposes cybersecurity event log requirements on federal departments and agencies to improve investigative and remediation capabilities.

To ensure lessons are learned after significant cyber incidents do occur, the executive order creates a Cybersecurity Safety Review Board that will be comprised of government officials, software suppliers and private-sector cybersecurity experts to analyze those incidents and make recommendations for improvements. The board is modeled after the National Transportation Safety Board that assesses airplane crashes and other incidents.