Biden Signs Sweeping Executive Order on CybersecurityOrder Emphasizes Partnerships, IT Modernization and Supply Chain Security
President Joe Biden signed an extensive executive order Wednesday describing the government's plan to increase cybersecurity protection across the public and private sectors as well as secure the nation's digital infrastructure against the type of attack that targeted SolarWinds and its customers.
The "Executive Order on Improving the Nation’s Cybersecurity" covers myriad topics, including improving the ability for the public and private sectors to share threat intelligence, modernizing the federal government's approach to cybersecurity and enhancing supply chain security.
The order, which had been expected for weeks, is part of the Biden administration's response to a series of cybersecurity incidents that have happened over the last several months, including the SolarWinds supply chain attack, the attacks that targeted vulnerabilities in Microsoft Exchange and Pulse Connect Secure VPNs and the ransomware attack that hit Colonial Pipeline Co. (see: Colonial Pipeline Restarts Operations Following Attack).
Earlier, the White House responded to the SolarWinds attack, as well as interference in the 2020 U.S. election, by slapping sanctions on Russia and on companies and individuals that the administration believes assisted during those efforts (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
By signing the executive order on Wednesday, the Biden administration acknowledged the U.S. needs sweeping changes to how it approaches cybersecurity and protecting the nation's infrastructure.
"Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life," the executive order states.
In the run-up to signing the executive order, the Biden administration, as well as Congress, allocated $1 billion toward improving and modernizing IT infrastructure across the federal government, which many believe will improve cybersecurity (see: IT Modernization Grants Will Prioritize Cybersecurity).
"The federal government must lead by example. All federal information systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order," the executive order states.
Eliminating Information Silos
The order requires eliminating the current contractual barriers that prohibit federal agencies and the private sector from sharing threat intelligence and other cybersecurity-related information.
"These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on federal information systems. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies that are responsible for investigating or remediating cyber incidents," according to the executive order.
All contract language going forward will require service providers to collect and preserve data related to any cyber incidents and share that information with the appropriate government agency.
The executive order also calls for a governmentwide modernization effort to adopt security best practices while maintaining privacy and civil liberties. The changes include advancing toward a "zero trust" architecture as well as accelerating movement toward secure cloud services, including software-as-a-service, infrastructure-as-a-service and platform-as-a-service offerings.
The executive order also requires centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks and investing in both technology and personnel to match these modernization goals. It directs all agency heads to begin moving toward these goals within 60 days and provide a progress report to the director of the Office of Management and Budget.
Security and Privacy
Tim Wade, technical director for the CTO team at the security firm Vectra and a former U.S. Air Force officer, notes that the Biden administration tried to address privacy as well as security issues.
"Privacy is itself a form of security - security against the erosion of opportunities for an individual to enjoy fairness, liberty and equality before the law and our society at large," Wade says. "As we forge ahead toward the much needed partnership between federal and private sectors, we will do well to remember that the preservation of individual privacy is among our chief pursuits."
The executive order notes that the commercial software used by federal agencies often lacks adequate controls to prevent attackers from gaining access.
"There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended," the order states.
Addressing the faults in the security supply chain is critical to preventing another supply chain attack such as the one that targeted SolarWinds, experts say.
"This executive order correctly emphasizes enhancing software supply chain security, removing barriers to threat information for government contractors, standardizing agency playbooks for incident response and modernizing federal cybersecurity," says Steve Grobman, CTO at the security firm McAfee.
Within 30 days of the order's signing, the secretary of the Department of Commerce - acting through the director of National Institute of Standards and Technology - must solicit input from federal agencies, the private sector and academia. The government will then use this information to develop guidelines and criteria to evaluate software security and the best practices software developers must use.
Support for Cyber
Some elected officials and private sector leaders who welcome the executive order note that the signing of the directive is only the start of the process required to safeguard the nation's digital infrastructure.
"This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps," says Sen. Mark Warner, D-Va., the chairman of the U.S. Senate Intelligence Committee.
Kelly Bissell, senior managing director of Accenture Security, notes: "Today, with this executive order, we begin on a new path - one where governments and businesses can make faster, more informed decisions around the emerging threats, become more consistent, buy more secure products - and be more cyber resilient. Tomorrow the hard work begins."
Managing Editor Scott Ferguson contributed to this story. Detailed analysis of each of the order's components will follow.