Biden signs executive order to improve federal cybersecurity

President Biden on Wednesday signed an executive order aimed at improving federal cybersecurity, with the order coming on the heels of multiple major and damaging cyberattacks, including the one on the Colonial Pipeline.  

A senior administration official told reporters Wednesday that the executive order, which has been in the works since early in the Biden administration, is meant to serve as an example to the private sector of the federal government taking the lead on strengthening cybersecurity.

“Today more than ever, cybersecurity is a national security imperative and an economic imperative,” the senior administration official said. “Today’s executive order makes a down payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely. It reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security.”

The executive order requires the establishment of baseline cybersecurity standards for all software sold to the federal government and that all software used by the government meet these standards within nine months. Software developers doing business with the government are required to make their security data publicly available. 

“We wouldn’t build a building without building standards, and we need standards for how we build software securely,” the administration official said. 

In addition, it mandates the deployment of the use of encryption and multifactor authentication by the federal government in what the official described as “tight” timelines, with agencies required to get a waiver from the National Security Council if encryption is not fully implemented in six months. 

It establishes a governmentwide endpoint detection and response system to help federal agencies share cyber threat information and will create a standardized “playbook” for how agencies should immediately respond to future cyber breaches. 

Following the two major cybersecurity incidents in which the federal government did not have enough visibility into the private sector, the executive order requires that IT providers doing business with the federal government report data breaches. 

“Federal agencies can’t defend what they don’t see,” the administration official said. “Removing barriers to information sharing regarding threats and incidents is fundamental pushback to preventing breaches in the first place and empowering the federal government to respond when they do occur.”

The executive order is being rolled out as the Biden administration continues to grapple with escalating cyber threats. 

The SolarWinds hack, first discovered in December, allowed Russian state-sponsored hackers to exploit vulnerabilities in software updates from IT group SolarWinds to infiltrate nine federal agencies and at least 100 private sector groups for most of a year. Biden levied sanctions on Russia last month in retaliation for the hack. 

Complicating matters further, Microsoft announced newly discovered vulnerabilities in its Exchange Server email program that allowed Chinese and Russian hackers to potentially compromise thousands of organizations.

More recently, the administration this week has scrambled to respond to the ransomware attack on the Colonial Pipeline, which provides 45 percent of the East Coast’s oil and was forced to shut down operations until Wednesday afternoon to protect operational systems against the hackers. 

The new executive order stipulates that following future major cybersecurity incidents, a cybersecurity safety review board will be established, co-led between the government and the private sector and modeled on the National Transportation Safety Board.  

The senior administration official said the first board has already been tasked with reviewing the SolarWinds incident and producing a report on the incident.

“This is really the goal, that every major incident that occurs, we have a thoughtful way of reviewing it and learning from it,” the official said. 

Following the escalating cyberattacks, which have also involved ransomware attacks against hospitals and schools during the COVID-19 pandemic, the official stressed that the approach currently taken by the federal government to tackling cybersecurity incidents must change. 

“We’ve accepted that we will move from one incident response to the next, and we simply cannot let waiting for the next incident to happen to be the status quo under which we operate,” the official said.

Senate Intelligence Committee Chairman Mark Warner (D-Va.) praised the executive order, pointing to the recent attacks. 

“The recent Colonial, SolarWinds, and Hafnium attacks have highlighted what has become increasingly obvious in recent years – that the United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage,” Warner said in a statement on Wednesday. 

“This executive order is a good first step, but executive orders can only go so far,” he noted. “Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.”