Image: Mackenzie Burke, Getty Images

President Joe Biden signed an Executive Order Wednesday designed to better protect the federal government’s networks from cyberattacks, following the attack this week on the Colonial Pipeline. At the same time, the White House acknowledged that more would need to be done to stop an attack like that, and called the Colonial Pipeline hacking a “sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cybercriminals.”

SEE: Security incident response policy (TechRepublic Premium)

The goal of the EO is to modernize cybersecurity defenses by protecting federal networks and improving information-sharing between the government and private entities on cyber matters.

The order specifically calls for:

  • Removing barriers to information sharing between the government and the private sector related to breaches.

  • Modernizing and implementing stronger cybersecurity standards in the federal government. This will help move the government to secure cloud services and a zero-trust architecture and mandates the deployment of multifactor authentication and encryption with a specific timeframe.

  • Improving software supply chain security by establishing baseline security standards for the development of software sold to the government. This will require developers to maintain greater visibility into their software and make security data publicly available.

  • Establishing a cybersecurity safety review board made up of government and private sector leads.

  • Creating a standard playbook for responding to cyber incidents with a set of definitions for cyber incident response by federal departments and agencies.

  • Improving detection of cybersecurity incidents on federal government networks. The EO aims to improve the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing.

  • Improving investigative and remediation capabilities through the creation of a cybersecurity event log requirement for federal departments and agencies.

Government, private sector leaders react

Sen. Mark Warner (D-VA), chairman of the Senate Select Committee on Intelligence, called the EO “a good first step.” Warner said, “Congress is going to have to step up and do more to address our cyber vulnerabilities,” and he will work “with the administration and colleagues on both sides of the aisle to close those gaps.”

Leaders of cybersecurity firms reacted to the order with cautious optimism with some also calling to mind the recent SolarWinds attack.

Jyoti Bansal, CEO of Traceable and Harness, said he was encouraged to see the administration taking concrete steps to improve cybersecurity standards.

“The gravity and widespread nature of the SolarWinds attack clearly demonstrates that the impact of nation-state cyberattacks has reached a new level of risk,” Bansal said. “There is so much software development behind how government agencies operate and interact with citizens these days.”

These attacks have shown that software code and all the third-party suppliers in the software supply chain “are the next key vector of attack and will continue to be,” he said.

But Bansal also warned that prescriptive regulation alone is insufficient. “We need industry leaders to adopt secure development practices and make security an unambiguous priority at all levels. Accountability is another part of the answer — the cost of security breaches should be sufficient to motivate vendors and IT professionals to make changes to proactively detect and prevent more vulnerabilities.”

Rick Tracy, CSO of Telos Corporation, said he commends the White House for issuing “an extensive executive order that acknowledges the severity and scope of the cybersecurity challenges facing the public and private sectors, the American people and our economy.”

Tracy said he was encouraged by the overall thrust of the order. He said he especially applauds the fact that federal departments and agencies are being asked to follow in the steps of many in the private sector to “move more rapidly to adopt secure cloud services, the requirement for them to adopt multifactor authentication and the push for increased use in government of such practices as zero-trust architecture.”

Tracy also called the order’s requirement that IT providers must now share breach information “long overdue, as this information is too vital to protecting federal systems for such sharing to be voluntary.”

He said he hopes further government actions will be taken to create incentives to encourage private companies to adopt the NIST Cybersecurity Framework and take other strong actions to better secure their networks and systems.

Charles Herring, CTO and co-founder of WitFoo, called the EO “wide-ranging and carries an aggressive timeline to make overdue safeguards a pressing priority.”

Herring added that “the mandate for immediate deployment of multi-factor authentication, EDR and log retention technologies across all federal agencies are critical enhancements needed to modernize and harden government infrastructure. These technologies also provide essential visibility into a very wide surface area across the executive branch that will enable investigators to effectively track down and respond to emerging attacks.”

Herring also noted that the second section of order points to problems with how service providers charge the government for sharing threat and incident information. It calls for the OMB to create new contract language within 60 days to require providers to collect and preserve threat and incident data and to make it available to the federal government while removing restrictive “contract terms or restrictions” that “may limit the sharing” of this information.

“The language indicates the government is expecting providers to share proprietary intelligence that many providers currently sell at a premium,” he said.

The SolarWinds breach highlighted a need to increase software supply chain audits, he said. In particular, Herring said section 4 of the EO contains “progressive language” requiring software providers to perform source code analysis at release cycles and to provide proof of secure code before delivering new versions to the federal government.

If vendors do not meet these requirements they will lose contracts, Herring said. “For years source code integrity has gone largely unaudited, which is going to leave many software providers scrambling to update secure development operations procedures, acquire tools for testing code, retrain developers to use secure coding approaches and re-write thousands of lines of code to become compliant,” Herring said. “It is a potentially devastating blow to providers that have neglected these hygiene steps.”

At least one security vendor criticized the government for not taking a stronger stance. The EO “is conspicuously absent of any mention of the federal government’s role in providing deterrence to malicious actors,” said Mark Carrigan, senior vice president of global sales excellence at Hexagon. “An offensive cybersecurity strategy cannot be borne by industry. Companies are not in the business of taking countermeasures to disincentivize or punish attackers. It is the responsibility of the government to establish laws and strictly prosecute critical infrastructure cyberattackers.”