It was a very safe bet that the United States government would take swift action in the wake of the Colonial Pipeline debacle. That action has arrived with a Biden administration executive order that looks to make immediate improvement to the nation’s cybersecurity defenses, with the headline item being new reporting requirements for federal government vendors that experience cybersecurity breaches.
The executive order contains a number of other items: a new rating system for the security of software supplied to the federal government, new security requirements for federal agencies that stress a behavioral approach to authentication and monitoring, establishment of a new review board for major cybersecurity breaches, and streamlining of federal agency breach reporting procedures among other items.
34-page executive order makes sweeping changes
The executive order makes general reference to “increasingly sophisticated malicious cyber campaigns,” but it is clear that the ongoing Colonial Pipeline incident was the catalyst. States along the southern and eastern coasts suffered shortages as a result of a ransomware attack that shut down the pipeline’s billing systems, with some stations completely running out of gas. The executive order echoes themes established in the recent proposal of a “ransomware task force,” calling for increased partnership with the private sector along with “bold changes and significant investments.”
One of those measures is to facilitate the sharing of threat information. The executive order notes that IT and OT service providers often have contracts that prevent them from sharing information about cybersecurity breaches with other agencies. Agencies are tasked with updating the language of contracts to facilitate cooperation with law enforcement and national defense agencies (such as CISA and the FBI) within 60 days, and to have the updated contract terms in place within 120 days.
An outgrowth of this new requirement is that federal government IT vendors will also be required to report cybersecurity breaches to CISA, with the Secretary of Defense heading up a process to standardize sharing of these reports among relevant investigative agencies. These procedures are to be developed within 90 days and will supersede the existing reporting procedures that each agency currently has.
The executive order also establishes a number of cybersecurity modernization goals: implementing “zero trust” architecture, movement to secure cloud services, and implementation of data analytics in risk management programs. Each agency is required to prepare a zero trust plan within 60 days. CISA, the Department of Homeland Security and the Office of Management and Budget have also been given 90 days to establish a new federal-level cloud security strategy and provide guidance to other agencies. All agencies will also be required to adopt multi-factor authentication and encryption for data both at rest and in transit within 180 days.
Federal contractors in the spotlight
While there is a strong focus on establishing new procedures for federal agencies, the role of software vendors in cybersecurity breaches is also being heavily scrutinized. In addition to the new reporting requirements, NIST has been ordered to come up with new guidelines for software supply chain security within 180 days. Among other items vendors will be required to test source code to minimum standards, and a pilot program will be launched to explore ways of educating the public as to the relative security of software and “internet of things” (IoT) devices. The end result of this program could be a mandatory labeling system that assigns security level ratings to these products. Software developers will also be required to share certain data about their product security with the public.
David McNeely, chief technology officer for ThycoticCentrify, is optimistic about this particular piece of the new plan: “This executive order (EO) is a positive, as it seems to expand on the standard for organizations supplying technology to the federal government that the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have been driving. It appears that, through the new EO, those vendors will now be required to protect ‘controlled unclassified information” in their nonfederal systems as defined in NIST 800-171. We see this as a clear way to expand the security controls defined by NIST, and even the already-stringent FedRAMP authorization, as a best practice guidance for all government agency suppliers. Plus, it marks a positive step in transparency between technology vendors and government organizations. The security community is stronger together, and information sharing on vulnerabilities, breaches, new nation-state threat groups and more will benefit the industry as a whole while simultaneously protecting federal entities.”
The Secretary of Homeland Security and the Attorney General have also been instructed to establish a “Cyber Safety Review Board,” a concept that was first proposed in the Homeland Security Act of 2002. The board will review and assess “significant” cybersecurity breaches that impact both federal and non-federal systems. Qualifying cybersecurity breaches would trigger a meeting of the board, which would have members from the major defense and law enforcement agencies in addition to representatives from private sector cybersecurity firms.
Cybersecurity experts are generally supportive of the proposed measures. The concern of compliance cost for smaller vendors is always raised when the prospect of major new security regulations appears, but Neil Jones (cybersecurity evangelist for Egnyte) believes that the conditions and stakes have changed such that smaller organizations will need to have cybersecurity postures that are just as strong as their larger counterparts: “If we hope to protect our critical infrastructure and government entities, requirements need to be stronger, with more stringent certifications required to work on federal contracts. In addition, there should be a stronger emphasis on adopting a data-centric security strategy that properly secures and governs sensitive information (especially for supply chain relationships), which currently represents the soft underbelly for cyberthreats. Finally, we can anticipate that successful techniques attackers employ on larger organizations will be adapted for use on smaller organizations, which generally have smaller security teams and less advanced security protocols.”
Response to cybersecurity breaches to be coordinated and standardized
In addition to all of these new requirements, the incident reporting process to be used across federal agencies is to be standardized and centralized within 120 days. The executive order calls for a cyber attacks “playbook” to be provided to all federal agencies, to be managed on an ongoing basis by CISA and the National Security Agency (NSA).
This is an element that certainly would have been helpful in the Colonial Pipeline response. The issue was initially clouded by conflicting reports over the weekend, with Americans in the impacted states began to notice long lines for gas and certain stations running out of supply as the week began. On Thursday, reports indicated that Colonial Pipeline had paid $5 million in ransom to the attackers shortly after the breach was detected, something that the FBI and other agencies have publicly discouraged. And a scathing outside tech audit from three years ago surfaced, in which the auditor described the Colonial Pipeline network as “a patchwork of poorly connected and secured systems” and followed up by saying that “an eighth-grader could have hacked into that system.”