Seyfarth Synopsis:On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks, and shut down pieces of the nation’s critical infrastructure causing gasoline shortages in certain parts of the country.
By “force of law” the EO applies only to the federal government and federal government systems. By extension, the EO applies, or will apply, to thousands of government contractors and subcontractors that provide IT goods and services (e.g., software) to the US government. Notably, many of the cybersecurity provisions have yet to be written and many will have to go through a drafting and comment period. Other of the provisions may look “new” but have actually been around for a while (like multi-factor authentication and end-point solutions).
The order does not touch on every aspect of US business, like critical infrastructure, but it is a wonderfully good start as it sets forth certain policies and procedures that every business must (if you are a government contractor) or at least should consider enacting. The clear implication of the EO is that the government, IT contractors and providers, and the private sector can no longer wait around for the next shoe to drop. The time for action is now.
So despite being aspirational (at least for today and for some time in the future), the EO makes probably its most important point in its opening statement (Section 1. “Policy”): “We are all in this together.” Indeed the EO opens by noting:
“(C)ybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”
Let’s examine below certain pieces of the EO as it applies both to the federal government and government IT contractors and providers. The private sector should note that, similar to other “standards” like the NIST Cybersecurity Framework (issued under the Obama Administration in February 2014), to the extent it doesn’t follow the guidance and the policies in the EO, they might fall squarely in the headlights of plaintiffs’ class action counsel who may say, if it was in the EO, why didn’t you follow the same guidance.
Removing Barriers to Sharing Threat Information
Given their position in providing IT goods and services to the government, the EO notes that the IT providers are in a very good position to know better than the government the threat landscape and incident information that affect the federal systems they serve. But by contract, the IT provider might be precluded from sharing that information with the government.
In response, the EO pledges that within 120 days, amendments to the contractual language already in use by the federal government is to be recommended to ensure that information pertaining to cyber threat intelligence as well as cyber incident response information can be shared promptly, ideally within three days (a three-day period is already in place under certain federal, state and EU guidelines). The EO is clear on this point: information sharing is one of its highest priorities.
Modernizing Federal Government Cybersecurity
Another high priority of the Biden Administration is the modernization of the federal government cybersecurity architecture (see Section Three of the EO):
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
What does this mean at the end of the day?
Recognizing that the Cloud is likely the future of data storage for the majority of the US Government, yet the cloud has its own set of unique risks and thus needs its own security and incident response strategy;
That the government will move towards a recognized system of identity and access management, including mandatory multi-factor authentication; and that
The government will adopt encryption of data at rest and in transit.
Enhancing Software Supply Chain Security
This section clearly relates to the government’s previous responses to the SolarWinds cybersecurity attack in December 2020. Here, the EO calls upon the National Institute of Standards and Technology to produce guidelines for enhancing the software supply chain security. This guidance shall include standards, procedures or criteria regarding:
secure software development environments, including such actions as:
using administratively separate build environments;
auditing trust relationships;
establishing multi-factor, risk-based authentication and conditional access across the enterprise;
documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
employing encryption for data; and
monitoring operations and alerts and responding to attempted and actual cyber incidents;
generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i);
employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.
Improving Detection of Cybersecurity Vulnerabilities and Incidents
Finally, like is more common already in the private sector, the EO urges the adoption of endpoint detection and response initiatives to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. The hope is that such initiatives will support a “playbook” that would better demonstrate the EO’s mandate to provide a better level of incident response and remediation capabilities throughout all levels and departments of the levels of government.
The above is just a partial list of initiatives that the Biden Administration has put forth in the EO. There are indeed other initiatives that bear close examination like the NIST Cybersecurity Framework, and there are other technologies, like machine learning anomaly detection devices that also can potentially make the federal government more “cyber safe.” But, the most important part of the EO is that now “there is a plan.” A plan that will be reviewed by experts like the NIST, and thereafter refined and put into place. And with all good fortune that plan will spread like wildfire across the whole private sector as well. Then all parts of government and industry will likely be more cyber safe.