Understanding President Biden’s Executive Order on Cybersecurity

SolarWinds, Colonial Pipeline, and US International Aid Agency are three large-scale cyberattacks that targeted the US infrastructure. They disrupted supply chains and fuel distribution channels, underscoring the lack of strong cyber defenses. As a first step to modernize US security defenses, President Biden signed an Executive Order that forms the basis for a more collaborative effort to harden US cybersecurity.

SolarWinds

SolarWinds is a Texas company that offers network management tools to government agencies and private sector companies such as Microsoft or FireEye. The company delivers automatic updates to its Orion platform at client locations, which many organizations install automatically. Unfortunately, the update in late 2020 had been compromised, and malicious code was downloaded with the legitimate software. It wasn’t until FireEye detected the malicious software running on its clients’ systems that the hack was discovered. The scope of the breach is unknown as the investigation is still ongoing, months after the initial detection.

Colonial Pipeline

The media made sure the world saw the consequences of a cybersecurity breach at Colonial pipeline — long lines at gas stations, fuel delivery by truck, and temporary closure due to lack of product. All of this chaos was the result of a compromised email.

Colonial suffered a ransomware attack. Most likely, an employee accidentally clicked on a contaminated link that downloaded the software to the administrative side of the company. When the software was discovered, company-wide operations were shut down until system control could be returned to Colonial.

Colonial was unable to gain access to its system because the ransomware blocked backups and production data. The hackers also stole data that they threatened to publish if the ransom was not paid. Eventually, the company paid 75 bitcoins or $4.4 million to regain control.

US Agency for International Development (USAID)

According to Microsoft, USAID suffered a supply chain attack in May 2021. Microsoft believes the hackers were part of the same nation-state group that initiated the SolarWinds attack. The cybercriminals compromised Constant Contact, a marketing firm that provides email services to multiple organizations, including USAID.

Hackers sent compromised emails that appeared to come from USAID. These emails contained links that downloaded malware onto the recipient’s system. From there, they could read emails, plant additional malware, and steal information. In this attack, hackers appear to be tailoring their malware to the specific recipient making for a far more sophisticated attack.

Executive Order

Because of the magnitude of these most recent attacks, President Biden’s executive order looks to strengthen cybersecurity throughout the government’s supply chain. The order includes the following seven directives.

Information Sharing Between Government and Private Sector

When a cybersecurity event occurs, organizations are not always forthcoming with details. Sometimes, the reluctance is based on contractual obligations. Whatever the motivation, IT service providers must share breach information with the federal government. By removing contractual barriers and enforcing data sharing, the government is increasing the effectiveness of its cybersecurity defenses. When more data is shared, better protocols can be implemented to protect the public and private sector from cybercriminals.

Implement Stronger Cybersecurity Standards

The government needs to promote better cybersecurity by establishing stronger standards that apply to the public and private sectors doing business with the federal government. These standards should include the implementation of secure cloud services, zero-trust architecture, data encryption, and multi-factor authentication. Dates should be established for compliance with the standards.

Improve Software Supply Chain Security 

The Executive Order establishes a baseline of security standards to be applied to all software developed for the federal government. This mandate requires developers to make security data available and to maintain greater visibility into the end product. Public and private collaboration should be used to find new and innovative ways to secure software, and the government’s procurement power should be used to incentivize the market to improve.

The process should include a pilot program that identifies levels of software security that can be applied to each software solution. The designator could be similar to the energy star rating that is applied to appliances and equipment. Today’s software is often shipped with known vulnerabilities that can be easily exploited. It is time for the government to step in to ensure that security is part of software design.

Create a Cybersecurity Safety Review Board

A Cybersecurity Safety Review Board, co-chaired by government and private sector leaders, should be created to review any significant cyber incidents in much the same way the National Transportation Safety Board reviews airplane crashes and other incidents.

The board should analyze what happened and make recommendations for improvement. The goal is to avoid organizations repeating mistakes that others made. Difficult questions may require answers to ensure the country’s cybersecurity.

Prepare a Standard Playbook 

Playbooks help organizations know what to do when a cyber incident occurs; however, the government does not have a standard playbook for cybersecurity response procedures. Different agencies may have playbooks, but there is no government-wide standard.

Creating a playbook means that individuals know what to do when a cyber incident is detected. People do not have to decide what to do as the event is happening. Instead, they have a clear set of directions to follow. A playbook ensures that all agencies conform to a level of preparedness to identify and mitigate a threat. It can also serve as a template for the private sector.

Improve Detection of Cybersecurity Incidents 

Government networks need to deploy modernized tools to detect malicious activity at endpoints, especially now that more IoT devices are being deployed. The Executive Order improves detection ability and information sharing through the deployment of a government-wide endpoint detection and response (EDR) unit.

Improve Investigative and Remediation Capabilities

Poor system-wide logging capabilities hamper the ability to detect intrusion, mitigate ongoing intrusions, and analyze incidents. Robust and consistent logging can help this problem. The Executive Order creates event log requirements that all federal departments and agencies must follow to ensure a robust supply of data to help analyze incidents and corrective actions.

Private Sector

The executive order applies to government departments and agencies, along with their supply chains. That means private companies have a part to play in maintaining secure cyberspace for American businesses and the government. At Virtual IT, we help protect businesses from cyberattacks and strengthen their cyberinfrastructure to detect and mitigate compromises. If you are interested in learning more, contact us.