WASHINGTON: The Biden administration today issued a long-awaited cyber executive order that compels federal contractors to share information on cyber incidents and establishes a Cybersecurity Safety Review Board, among other measures.
“Today’s executive order makes a down payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely,” a senior administration official said. “It reflects a fundamental shift in our mindset — from incident response to prevention, from talking about security to doing security.”
The order comes on the heels of three consequential cyber campaigns — SolarWinds, Microsoft Exchange server hacks, and Colonial Pipeline. The government is still deeply involved in dealing with the latest incident. Colonial Pipeline said today it has initiated the restart of pipeline operations.
SolarWinds, in particular, seems to have heavily influenced the EO. “Following the SolarWinds incident response,” the senior administration official said, “we were confronted by the hard truth that some of the most basic cybersecurity prevention and response measures were not systemically rolled out across federal agencies.”
“So, we identified a small set of high-impact cyber defenses that, when implemented, make it harder for an adversary to compromise and operate on a hacked network.”
The EO says: “The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
To this end, the EO sets out a series of short-term timelines around several goals:
- Removing barriers to sharing threat intelligence
- Modernizing federal cybersecurity
- Enhancing supply chain security
- Establishing a Cyber Safety Review Board
- Standardizing the federal government’s “playbook” for replying to incidents
- Improving detection on federal networks
- Improving the government’s investigative and remediation capabilities
- Setting requirements for national security systems
Notably, the EO requires information and communications technology (ICT) service providers with federal contracts to report cyber incidents. “ICT service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies,” the EO states. The EO also requires cyber incident reporting to CISA, in some cases.
The EO also directs entities within the federal government to “develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies.”
The EO establishes a Cybersecurity Safety Review Board, akin to the National Transportation Safety Board, for cyber incidents. The Cybersecurity Safety Review Board will be led by government and private sector co-chairs.
Several technologies must be rolled out across federal networks within a specified timeframe, according to the EO. These include multi-factor authentication, encryption, endpoint detection, logging, and operating in a zero-trust environment.
“We commend the Biden administration on their ongoing efforts to address the recent SolarWinds-SUNBURST attack against public and private sector networks,” McAfee CTO Steve Grobman said. “The administration’s emphasis on data, objectivity, and constructive measures ensures that we, as a nation, are able to meet this new threat by modernizing federal cybersecurity.”