WASHINGTON – As the east coast suffered the effects of a ransomware attack on a major oil pipeline, President Biden signed an executive order on Wednesday that set tough new standards for the cybersecurity of software sold to the federal government.
The move is part of an overall effort to strengthen the defense of the United States by encouraging private companies to practice better cybersecurity or at risk of being banned from federal treaties. However, the bigger effect may come from what, over time, might look like a government safety rating for software products, similar to how cars get a safety rating or restaurants in New York get a health safety rating.
The contract comes amid a wave of new cyberattacks that are more sophisticated and far-reaching than ever before. Last year, around 2,400 ransomware attacks hit corporate, local and federal agencies in blackmail schemes that block or publish victims’ data unless they pay a ransom.
The most pressing fear is an attack on critical infrastructure, a point that Americans who panicked to buy gasoline became clear this week. A ransomware attack on Colonial Pipeline’s information systems forced the company to shut down a critical pipeline that has been supplying 45 percent of the east coast’s gasoline, diesel and jet fuel for several days.
While every president since George W. Bush has issued new guidelines to strengthen the country’s digital defenses, Biden’s command is designed to dig deep into the private sector. And it’s far more detailed than any previous effort.
For the first time, the US will require all software purchased by the federal government to meet a set of new cybersecurity standards within six months. Although companies would have to self-certify, violations would be removed from federal procurement lists, which could affect their chances of selling their products in the commercial market.
The contract also sets up an incident review board, much like the teams that investigate aircraft accidents to learn lessons from major hacking episodes. The White House dictates that the first incident investigated will be the SolarWinds hack, in which Russia’s leading intelligence agency changed the computer code of an American company’s network management software. It gave Russia broad access to 18,000 agencies, organizations, and companies, mostly in the United States.
The new regulation also stipulates that all federal agencies must encrypt data, regardless of whether it is stored or transmitted – two very different challenges. When China stole 21.5 million files via federal employees and contractors who had security clearance in place, none of the files were encrypted so they could be easily read. (Chinese hackers, investigators later concluded, encrypted the files themselves – so as not to be discovered when they sent the sensitive records back to Beijing.)
Previous efforts to set minimum standards for software failed at Congress, particularly at a major showdown nine years ago. Small businesses have said the changes are not affordable and larger businesses have resisted an intrusive role the federal government plays in their systems.
But Mr Biden decided it was more important to act quickly than try to fight for broader mandates on Capitol Hill. Its staff said it was a first step, and industry officials said it was bolder than expected.
Updated
May 12, 2021, 7:36 p.m. ET
Amit Yoran, the executive director of Tenable and a former cybersecurity officer in the Department of Homeland Security, said the question everyone was wondering was whether Mr. Biden’s orders would stop the next Colonial or SolarWinds attacks.
“No politics, government initiative or technology can do that,” said Yoran. “But that’s a good start.”
Government officials have complained that Colonial had poor defenses, and although it built a hard shell around its computer networks, it had no way of monitoring an adversary who got inside. The Biden administration hopes that the standards set out in the Executive Ordinance, which require multifactor authentication and other protective measures, will become widespread and improve security worldwide.
Senator Mark Warner, Democrat of Virginia and chairman of the Senate Intelligence Committee, praised the order but said it should be followed by Congressional action.
Mr Warner said the recent attacks “have shown what has become increasingly apparent in recent years: that the United States is simply unwilling to fend off government sponsored or even criminal hackers who intend to compromise our systems for profit or espionage.” “
The new order is the first major public part of a multi-faceted review of defense, offensive, and legal strategies against opponents around the world. However, this arrangement focuses solely on deepening the defense in hopes of deterring attackers because they fear they will fail – or are at greater risk of being detected.
The Justice Department is setting up a new task force to take over ransomware. Now that it has been discovered in recent months that such attacks are more than just blackmail, they can topple economic sectors.
Mr Biden announced sanctions against Russia for the SolarWinds hack, and his national security adviser Jake Sullivan said there would be “invisible” consequences as well. So far, the United States has not taken similar action against the Chinese government because it was believed to have been involved in another attack and exploited loopholes in a Microsoft system used by large corporations around the world.
The Executive Order was first drafted in February in response to the SolarWinds intrusion. This attack was particularly nifty because hackers working for the Russian government managed to modify the company’s under development code that unsuspectingly distributed the malware in an update to its software packages. It was discovered during Mr Biden’s transition and led him to state that he could not trust the integrity of the federal computer systems.
Established under the Executive Ordinance, the review body is jointly chaired by the Minister of Homeland Security and a private sector official, based on the specific episode currently being investigated, in order to attract industry executives who fear the investigation could be fodder for lawsuits .
Since it was created by executive order rather than an act of Congress, the new body will not have the same extensive powers as a security body. However, officials remain confident that this will be helpful in identifying vulnerabilities, improving security practices, and pushing companies to invest more in improving their networks.
Much of the executive order focuses on information sharing and transparency. The aim is to reduce the time it takes for organizations that have been hacked or discover vulnerabilities to share this information with the Cyber Security and Infrastructure Security Agency.
