WASHINGTON — Following government cyber breaches, the Biden administration issued a cybersecurity order requiring improved protections at government agencies and prompt breach reports from federal computer network and cloud service suppliers.
The executive order signed Wednesday touches on many issues that the Defense Department is weighing to ensure adequate protections among its vast information technology supplier network, an effort driven in large part by lawmakers’ alarm over recent high-profile government network compromises. For example, lawmakers ordered the DoD to assess programs to share cybersecurity information with the defense industrial base and to consider the possibility of a threat-hunting program on vendors’ networks.
The security of the military’s most sensitive information, such as weapon controls and service members’ locations, rides on its cyber protections.
The Biden administration is trying to eliminate any hesitation or contractual barriers that might prevent IT providers from sharing cyber threat information with the government.
“Federal agencies can’t defend what they can’t see,” a senior administration official said during a call with reporters the day Biden approved the plan. “Removing barriers to information sharing regarding threats and incidents is a fundamental first step to preventing breaches in the first place and empowering the federal government to respond when they do occur.”
The order follows a raft of major cyber breaches and compromises over the last year, including the wide-ranging, Russian-orchestrated Solar Winds intrusion of federal systems that compromised the supply chain; a Chinese-orchestrated operation that compromised Microsoft Exchange servers globally; and a ransomware attack against Colonial Pipeline that is affecting gas supplies. Officials said the order would help detect some of these problems much faster in the future.
“Companies need to share information about the incident, the vulnerability, what occurred. We’re really focused on information that’s important to be used to get out information to better help other entities defend themselves,” the senior administration official said. “We’re really creating a common threshold across the federal government to say let’s make sure that info is shared so all can defend themselves and all can get at information to private sector stakeholders and others to enable them to defend themselves as well.”
The order requires, within six months for some agencies, advanced protections including multifactor authentication of users’ identities and endpoint detection systems that constantly monitor for malicious activity and block it.
“Fundamentally what we saw in SolarWinds was that federal government cybersecurity was not at the level needed to detect attempts to intrude and to rapidly find those that are successful,” the administration official said.
Additionally, the new order pushes the federal government to move to secure cloud services and a zero-trust architecture and mandates encryption to secure data.
In the event of a breach or lesser network problem, the order creates a “playbook” or a standard set of definitions for cyber response by federal agencies.
Software suppliers also must provide federal buyers with a “software bill of materials,” essentially a list of ingredients of what’s inside the software. John Cofrancesco, vice president of government business for Fortress Information Security, told C4ISRNET that the bill of materials was “huge.”
“Weapon systems and platforms were once thought to be disconnected standalone systems, because they were not consistently connected to a network,” Cofrancesco said. “That belief has been dispelled in large part due to the heavily reliance on software that must be updated, refreshed, loaded, downloaded and patched. Each of these present unique touch points and access points for adversaries and criminals to corrupt our systems.”
This executive order is the first step in helping to secure supply chains and add greater transparency and accountability.
Officials acknowledge that the order is limited given the authorities afforded to executive orders. While it is a welcome stride, some argue that more needs to be done to protect the federal government from sophisticated intrusions.
“This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps,” Sen. Mark Warner, D-Virginia, chairman of the Intelligence Committee, said in a statement.
Andrew Eversden contributed to this report.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.