Biden administration releases ambitious cybersecurity executive order

Though lacking in definitional clarity, this new executive order might be more effective than past federal efforts, especially in the wake of the Colonial Pipeline attack.

President Joe Biden delivers remarks about the Colonial Pipeline hack. [Washington / 2021.05.13]
Evan Vucci / AP / Shutterstock

Capping a dramatic week that saw major oil pipeline provider Colonial Pipeline crippled by a ransomware attack, the Biden administration released a highly anticipated, far-reaching and complex Executive Order on Improving the Nation's Cybersecurity. The executive order (EO) aims to chart a "new course to improve the nation's cybersecurity and protect federal government networks."

The ambitious document uses the SolarWinds and Microsoft Exchange supply chain hacks and the Colonial Pipeline ransomware infection as springboards for a series of initiatives that aim to minimize the frequency and impact of these kinds of incidents. These initiatives are:

  1. Remove barriers to threat information sharing between government and the private sector, particularly ensuring that IT service providers can share security breach information with the federal government.
  2. Modernize and implement stronger cybersecurity standards in the federal government, including a move to cloud services and zero-trust architectures and multi-factor authentication (MFA) and encryption mandates.
  3. Improve software supply chain security, including establishing baseline security standards for software development for software sold to the government. The Commerce Department must publish minimum elements for a software bill of materials (SBOM) that traces the individual components that make up software.
  4. Establish a cybersecurity safety review board consisting of government and private sector experts who convene following a significant cybersecurity incident to make recommendations, much like the National Transportation Safety Board (NTSB) does in the aftermath of a major transportation accident.
  5. Create a standard playbook for responding to incidents to ensure all federal agencies meet a standard playbook and set of definitions for incident response.
  6. Improve detection of cybersecurity incidents on federal government networks by enabling a government-wide endpoint detection and response (EDR) system and improved information sharing within the federal government.
  7. Improve investigative and remediation capabilities by creating cybersecurity event log requirements for all federal agencies.

Lawmakers praise the executive order

The initial reaction from lawmakers to the EO has been positive. Congressman Jim Langevin (D-RI), chair of the House Armed Services Subcommittee on Cybersecurity, Innovative Technologies, and Information Systems and a member of the Cyberspace Solarium Commission, issued a statement saying, "Cybersecurity is the most urgent national security challenge facing our nation, and I applaud President Biden for taking action early in his term to address and eliminate glaring vulnerabilities."

Senator Mark Warner (D-VA), Chair of the Senate Intelligence Committee, called the EO a "good first step." Senator Edward J. Markey (D-MA) and Congressman Ted W. Lieu (D-CA)  praised the EO's creation of a new pilot program to "educate the public on the security capabilities of internet-of-things (IoT) devices."

Experts cite definitional challenges

However, the EO, which contains 46 action deadlines to implement its objectives, currently lacks clarification on how it will achieve many of its goals. "It leaves a lot undefined and delegates enormous discretion to NIST and the FAR Council," Megan Brown, partner at Wiley Rein, tells CSO. The order asks the National Institute of Standards and Technology (NIST) to develop a plan to implement zero-trust architecture and is required to define what critical software is and develop guidelines for evaluating software security.

NIST is further assigned a series of tasks under the EO to hammer out critical components of the IoT consumer product safety labeling program, including establishing pilot programs and identifying IoT cybersecurity criteria for use in the program. FAR, the Federal Acquisition Regulation Council, is assigned numerous tasks related to developing contract language regarding the information-sharing requirements.

Definition of security breach is subjective

Former White House CIO and current CEO of cybersecurity company Fortalice Solutions Theresa Payton praises the creations of the Cybersecurity Safety Review Board but says she has concerns on the execution side of the order. "The order requires IT service providers to tell the government about cybersecurity breaches that could impact US networks. This is a very subjective request," she tells CSO.

"I look at this as somebody who manages practitioners. I'm looking at this fairly subjective request and thinking I have no idea how to comply with something like that,” says Payton. “It doesn't really spell out which department or agency will be responsible for making sure that happens. Like who, who are you telling in the government? Is the FBI? Is it NSA? Is it CIA?"

Setting aside the security implications of sending the federal government security breach information and creating juicy targets for cybercriminals, Payton says the definitional challenges are significant. "An unauthorized login or access is considered a cyber incident. I may get a call from a client who says, 'We're seeing irregularities in our security operations center.' We may actually enact our incident response team and find it was a software application behaving badly that needs to be fixed. Yes, there was unauthorized access, but there was no exposure to data being in the wrong hands. Does that need to be reported?"

Payton is also concerned about reconciling whatever security breach reporting is required under the EO with the data breach reporting requirements enacted by all US states and jurisdictions. "We have a patchwork quilt of data breach notification laws in the United States. We're one of the few countries that operate that way. Are we following the states' rules, or is there a new rule here about what constitutes a reportable incident?"

Michael Hamilton, the former vice-chair for the DHS Coordinating Council, former CISO of Seattle, and CISO of incident response firm CI Security, tells CSO that many sections in the order are "extremely straightforward and just make all the sense in the world," such as requiring federal agencies to manage vulnerabilities and incidents in a standardized way. He also says that the Biden administration will have to "do some sanding off the edges here. There are some definitional issues that I think need to be addressed and clarified."

The NSA plays a prominent role

The National Security Agency (NSA) plays a significant role in many aspects of the EO's implementation, including defining what constitutes a security breach that organizations should report to the government. "The NSA, in particular, is the agency that has the expertise to track down these criminals and name them by name," Hamilton says. "The NSA is prohibited from domestic surveillance. If the NSA is coming up with a set of rules that determine when service providers will turn over data for investigation, if they're the ones that are going to figure this out, it's because one would imagine they want to get over this barrier of not being able to get a look at what's going on internally in the United States in terms of network traffic passing through our service providers and carriers.”

"I think that this is a way that they're trying to address that,” says Hamilton. “If they have a seat at the table, it's because there are certain things that they want reported because they know how to use it."

Is this EO any different from past efforts?

It's not clear that this EO differs from past federal government efforts to tackle cybersecurity. "I would like to see more, and I would like to see it be less about frameworks and information-sharing because that's been the holy grail since the Clinton administration," Payton says. The holy grail always involves "doubling down and saying, let's throw more people at it and more frameworks at it. Maybe instead, let's look at the problem in a completely different way. Maybe we need some creative minds from the cryptocurrency and the non-fungible tokens realm," Payton jokes. "Maybe we have to get different innovators in here that haven't been the practitioners."

Hamilton thinks that this time, the federal initiative to solve cybersecurity's intractable problems is different and might work. "We have never had our asses handed to us like we have in the last six months. This is different. This is not the end-all and be-all of everything, but this is going directly to the heart of some of the things that have happened in the last six months, specifically, the supply chain security stuff."

"The federal government, because they spend so much money, can do whatever they please in terms of creating requirements for products and vendors, who, if they want the gig, are going to have to step up,” says Hamilton. “That's why this is different. This is purely using economic means, market forces, the power of the purse, competitive differentiation to get what you want in cybersecurity, instead of 'here's all the requirements you're going to have to meet.'"

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline