Biden’s Executive Order to Boost Threat Sharing, Supply Chain Security

President Joe Biden signed an executive order on Wednesday that takes aim at the country’s infrastructure cybersecurity weaknesses and is designed to bolster threat sharing between the government and private security agencies, as well as supply chain security.

“For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort, and money,” a senior administration official said during the press conference. “Instead, we’ve accepted that we’ll move from one incident response to the next.” 

“We simply cannot let ‘waiting for the next incident to happen’ to be the status quo under which we operate,” they added. “ [P]oor software security, and the current market development of ‘build, sell, and maybe patch later’ means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure.”

The order follows the massive ransomware attack on Texas’ Colonial Pipeline on May 7 that drove the computerized equipment offline and temporarily disrupted its 5,550 miles of fuel supply chain on the East Coast. The attack was launched by the DarkSide hacking group.

The Colonial attack joins a host of other supply chain incidents in the last six months, including the Accellion hack and SolarWinds Orion compromise. 

Combined with an increasing number of attempted exploits on publicly known vulnerabilities, such as those found in Microsoft Exchange Servers, there’s an overall sense that the country’s infrastructure is vulnerable to attack through a range of overall security weaknesses.

“Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” according to the announcement.

“These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents,” it added.

The hope is that the order will mark a decided shift into modernizing the country’s cybersecurity defenses, first through the protection of federal networks, then to improve information sharing between the federal government and the private sector on cyber issues.

The order enables IT service providers to share information with the government, in addition to requiring these vendors to share certain information when a breach occurs.

Vendors are often hesitant or unable to voluntarily share data on compromised networks, which officials explained can occur due to contractual obligations or even fear of repercussions. The order removes those barriers and requires vendors to share breach information that could impact government networks.

Other private sector elements impacted by the order include the establishment of a Cybersecurity Safety Review Board, which will be co-chaired by both private sector and government leads.

The board will convene after major cybersecurity incidents to analyze the event and make concrete recommendations to improve overall security. Officials noted that it’s modeled after the National Transportation Safety Board, used after airplane crashes and other significant incidents.

The move is designed to squash current issues with organizations continuing to repeat past mistakes following a breach, which can lead to continued security missteps.

The order will also work to create a standardized playbook and a set of definitions for cyber incident response within government agencies, ensuring agencies are prepared to identify and mitigate threats. Officials said the hope is to provide a meaningful template to the private sector for its own response efforts.

Supply chain security will also get a boost from the order, including standards for software sold to the federal government and the establishment of a public-private process for developing and using “the power of Federal procurement to incentivize the market.”

“It creates a pilot program to create an ‘energy star’ type of label so the government – and the public at large – can quickly determine whether software was developed securely,” officials explained. 

“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road,” they added.

The executive order joins the cybersecurity effort by the Biden administration to address the increasing number of supply chain incidents.

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger was appointed lead investigator for the federal response to the SolarWinds supply chain attack. The investigation enabled some of the key directives of the latest executive order.