President Joe Biden signed a long-awaited cybersecurity executive order Wednesday, doubling down on the call for public-private sector partnerships.
"I think you're going to see where we need significantly larger number of experts in the area of cybersecurity working for private companies, as well as private companies being willing to share data as to what — how they're protecting themselves," Biden said in a COVID-19 press briefing Wednesday, prior to the order's release.
As Colonial Pipeline restores operations following its ransomware attack and the country recovers from the SolarWinds and Microsoft Exchange compromises, cybersecurity issues have become mainstream, drawing scrutiny from regulators and government officials trying to prevent more large-scale attacks.
The executive order calls for broader information sharing, software security standards, and deepened intersector collaboration to help improve the government's cybersecurity posture. The hope is, higher standards will improve private sector security too.
The order recognizes that government and private sector companies cannot work in silos with limited purview of threatening activity across networks to effectively defend in cyberspace.
The order "offers no real incentives to be proactive. Incentives are not just avoiding punishment when you fail; it's about rewarding the people in the field who know the right thing to do, and work to go the extra mile to do it."
CEO of ForAllSecure
"The Colonial Pipeline incident is a reminder that federal action alone is not enough," the White House said. "Those private sector companies make their own determination regarding cybersecurity investments," leaving the government out of critical infrastructure insights and security.
Though the federal government has expectations for private sector security, abiding by such orders are optional.
The order "offers no real incentives to be proactive. Incentives are not just avoiding punishment when you fail; it's about rewarding the people in the field who know the right thing to do, and work to go the extra mile to do it," David Brumley, CEO of ForAllSecure, told Cybersecurity Dive in an email.
The executive order establishes a Cybersecurity Safety Review Board, composed of members of the government and private sector. Within 90 days of its establishment, the Biden administration expects the board to have recommendations for DHS after its initial review relating to the SolarWinds compromise in December.
Depending on the nature of a cyber incident, the board will bring in a private sector lead with relevant knowledge, a senior administration official told reporters Wednesday. The administration wants a board with relevant experience and insights for future incidents to offer guidance for the rest of their industries.
What's in the order and what's missing
The executive order is a "down payment" on modernizing cyber defenses, the official said. And while it focuses on cybersecurity improvements in the government and federal agencies, the order affects the private sector too.
"The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace," the order said.
Both sectors are hungry for information sharing, but the federal government has proven more in need of it, with less to offer in return. This is slowly beginning to change, though some security practitioners are less optimistic.
Information sharing is "so important, apparently, that we're including it in the executive order that we need to approve it, but how? Like, what is it supposed to do?" said Austin Berglas, global head of professional services, at BlueVoyant and former assistant special agent in charge of cyber at the FBI.
While the order has "great intention," it lacks a level of granularity for understanding what and why they should invest in something, he said.
In a Senate hearing Tuesday, CISA's Acting Director Brandon Wales said Colonial Pipeline did not directly contact the agency following its ransomware attack, though Berglas said the decision was likely due to contacting law enforcement out of habit.
CISA was brought in by the FBI, which Colonial initially contacted. Had law enforcement not included CISA early in its investigations, Wales does not believe Colonial would have contacted CISA, which hinders the agency's overall mission: share relevant threat information to help industries at large.
The executive order will place CISA as a leader in the information-sharing arena and "define the threshold of what needs to be shared for specific incidents," the official said.
If an attack is detected by the private sector first, the Biden administration wants to eliminate "contractual barriers" that prevent service providers from sharing breach-related data.
Additional security hoops to have domino effect
Information sharing between FireEye and the federal government ultimately unraveled the SolarWinds software compromise. The private sector found the intrusion before the government did, including CISA. "FireEye is one of the firms folks call when they discover a breach; so here the very people we call when we get hacked got hacked itself," Sen. Ron Portman, R-OH, said in a March hearing.
Biden's order calls for the director of the Office of Management and Budget (OMB) to review how the government contracts IT and OT service providers. It's an effort to dismantle threat intelligence sharing hurdles. Requirements will ensure service providers "collect and preserve" information "relevant to cybersecurity event prevention, detection, response and investigation" for systems they control.
The common thread among the SolarWinds and Microsoft Exchange hacks was poor software security, the official said. "The current market development of build, sell, and maybe patch later means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure," they said.
"Today the cost of insecure technology is borne at the end," the official said. The executive order answers to issues the government has "deferred for far too long." Software-makers that sell to the government will also have transparency requirements.
"There's no way to assess security in the market so there's no way to say, 'Hey, I'll pay a little more to incentivize the market.'"
Senior Biden administration official
The order now asks that within 45 days, the Secretary of Commerce will formalize a definition for critical software, which will "reflect the level of privilege or access required to function" and its dependencies and potential harm if there is an incident.
For companies that are not government contractors, the Biden administration expects the additional security hoops to have a domino effect on private industry. Secure software development "not only benefits the government," the official said. "We're all using the same software, right? We're all using Outlook email, we're all using Cisco and Juniper routers."
However, the order itself is not focused enough on preventing software vulnerabilities, said Brumley. "I'd ask the government to think in terms of economics: What could they do to incentivize preventative behavior?"
As part of the effort to secure software standards, the order includes a pilot labeling program for any given software's "energy star"-like label. In order to achieve an "energy star" in software security, software must meet criteria in testing and assessment.
The official said there will be economic incentives to meet such criteria, it's a "huge market advantage right now," they said. "There's no way to assess security in the market so there's no way to say, 'Hey, I'll pay a little more to incentivize the market.'"
Smaller companies may not have the resources available to meet new security standards, yet play a role in the supply chain. "There's nothing in the order that talks about that," said Berglas.