Biden’s Executive Order on Improving The Nation’s Cybersecurity outlines a comprehensive new approach to shoring up software supply chain security, removing current reporting obstacles that inhibit the government’s ability to assess incidents and holding both federal contractors and public agencies to higher security standards.
“The security of software used by the federal government is vital to the federal government’s ability to perform its critical functions,” the order reads.
CONTRACTOR REPORTING
The SolarWinds hack saw malware-infected software updates sent out to 18,000 public and private entities, but details on even such massive security breaches can be slow to trickle out to the agencies like the Cybersecurity and Infrastructure Security Agency (CISA) charged with responding to such incidents. SolarWinds representatives said existing law does not require companies to report such attacks in a March Congressional hearing.
Microsoft was among those impacted by the attack on SolarWinds, which then put its own clients at risk. But federal contracts could get in the way of raising alarms and prevent “a company like Microsoft from sharing with others in the federal government when a particular agency has been hacked this way,” said the firm’s president, Brad Smith, said during the March hearing. Smith said legal constraints also prevented Microsoft from simply alerting one central body, leaving the software company to (again, voluntarily) approach each impacted agency separately.
Biden’s executive order squarely tackles the problem by calling for a review and update of federal contracts to ensure vendors providing or operating systems for the government actively collect information on — and report — cyber attacks.
Software suppliers must inform their agency clients and CISA about any cyber incidents that affect their offerings. The graver the attack, the sooner suppliers must raise the alarm; for the “most severe” events that means reporting within three days of detecting the problem.
“Removing these contractual barriers and increasing the sharing of information about such threats, incidents and risks are necessary steps to accelerating incident deterrence, prevention and response efforts and to enabling more effective defense,” the order said.
CYBERSECURITY SAFETY REVIEW BOARD
A to-be-created Cybersecurity Safety Review Board will bring together public and private representatives to investigate cyber incidents as well, in a similar vein to how the National Transportation Safety Board investigates vehicular accidents. According to the order, the board will likely comprise members of CISA, the Department of Defense, the Department of Justice, the FBI and the NSA, plus private cybersecurity or software suppliers.
Concerns over revealing sensitive details can discourage cybersecurity victims from reporting or engaging government in investigations, and the order asserts that the board would “protect sensitive law enforcement, operational, business and other confidential information that has been shared with it,” as well as explore ways to foster more cooperation.
SUPPLY CHAIN TRANSPARENCY
The order also calls for developing new security standards regarding both federal software suppliers’ end products and the development environments used to make them. Guidelines include calls to keep track of the internal or third-party sources of each code, tool, service and software component used in creating the solutions, in an apparent acknowledgment that weaknesses with any of these could grant bad actors access.
Vendors also often use open source and commercial code components in the software they create, and the order will require them to give their customers records clearly listing these elements in what is known as a “software bill of materials” (SBOM). This listing is the developer equivalent of ingredients lists on food packaging, the executive order explains. SBOMs can help customers and developers recognize and alleviate risks by checking if newly announced vulnerabilities involve codes used in any of their software, for example.
“Understanding the supply chain of software, obtaining an SBOM and using it to analyze known vulnerabilities are crucial in managing risk,” the order states.
MODERNIZING AGENCIES’ SECURITY
The order puts emphasis not only on post-incident reporting and investigation but also on prevention and detection.
It asks public agencies to step up their approaches, including modernizing legacy software if it does not meet certain cybersecurity standards, encrypting data both during storage and transmission, adopting multifactor authentication and following zero-trust approaches with their networks. The order also encourages agencies to move to secure cloud environments, for which FedRAMP will provide guidance.
CISA is also asked to take up new efforts to smooth responses to cyber incidents. The intelligence agency will review current response practices and create a playbook recommending a standardized response approach for all agencies to follow.
Incidents from the SolarWinds attack to the recent Colonial Pipeline ransomware-induced shutdown have demonstrated the deep intertwining of public and private interests and security concerns. Biden’s executive order underscores the point, by asserting that mutual cooperation is necessary to reducing cyber threats, and encouraging private-sector entities outside the executive order’s reach to take up similar efforts.
“Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments,” a White House fact sheet on the order states. “We encourage private sector companies to follow the federal government’s lead.”
