In the wake of several high-profile cyberattacks, President Biden on Wednesday signed an executive order that, among other things, calls for tighter IT security across federal agencies, labels on software that give consumers a better idea of built-in security features, and a review board that admin officials likened to a National Transportation Safety Board for cybersecurity.
The executive order “reflects a fundamental shift in our mindset — from incident response to prevention, from talking about security to doing security — setting aggressive but achievable goals to make the federal government a leader in cybersecurity, and improve software security and incident response,” according to senior administration officials.
Government-Wide Two-Factor Authentication
Ransomware attacks like the one that temporarily crippled Colonial Pipeline this week are often executed by malware that steals login credentials. That’s harder to do (though not impossible) if two-factor authentication is enabled, as attackers need more than a password to gain access. So this EO requires federal agencies to adopt multi-factor authentication within 180 days, as well as encryption for data at rest and in transit.
“Following the SolarWinds incident response, we were confronted by the hard truth that some of the most basic cybersecurity prevention and response measures were not systemically rolled out across federal agencies,” a senior administration official said this week.
An NTSB for Cyber Attacks
When incidents do occur, meanwhile, the EO calls for a new Cyber Incident Review Board to issue a post-mortem. It’ll be established by the Secretary of Homeland Security, in consultation with the Attorney General, and include reps from the DOD, DOJ, NSA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), as well as the private sector
“We’ve modeled it on the National Transportation Safety Board used for airplane incidents,” the senior admin official said.
The review board’s first order of business: figure out what happened with the SolarWinds attack.
Security-Focused 'Energy Star' Labels
The EO also seeks to make sure the software that’s running on today’s most popular internet-connected devices is actually secure. “It creates a pilot program to create an ‘energy star’ type of label so the government – and the public at large – can quickly determine whether software was developed securely,” the White House says.
Participation by private companies would be voluntary; the National Institute of Standards and Technology will be in charge of encouraging manufacturers to sign on. But senior admin officials likened it to New York City’s restaurant rating system.
“Today, for example, parents looking at two different video baby monitors have no way of knowing which is built more securely,” they said. “This program will change that — giving the consumer insight while simultaneously rewarding the company that makes them more secure monitor with recognition in the marketplace.”
At the agency level, the EO also requires baseline security standards for development of software sold to the government, development of a playbook for how to respond to cyberattacks, improved attack detection, and improved information sharing among agencies, led by CISA.
“Cybersecurity incidents like SolarWinds, Microsoft Exchange, and now the Colonial Pipeline incident are a sobering reminder that both US public- and private-sector entities are very vulnerable to constant, sophisticated, and malicious attack — from nation-state adversaries to run-of-the-mill criminals,” the White House said.