President Biden signed an executive order Wednesday outlining plans to strengthen the U.S.' cybersecurity defenses, including improving supply chain security and implementing specific technologies like zero-trust networks and multifactor authentication.
The government has faced notable incidents, from the SolarWinds supply chain attacks to the more recent ransomware attack on Colonial Pipeline, and the new executive order reflects lessons learned and needed changes to improve both the federal government's defenses but also that of critical private sector entities. According to the order, the two incidents share commonalties, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.
Biden's executive order aims to make a significant contribution toward modernizing defenses and protecting federal networks. Seven priorities are highlighted in the order overall, including removing barriers to threat information sharing between government and private sector, modernizing and implementing stronger cybersecurity standards in the federal government and improving software supply chain security.
"Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life," Biden said in the executive order.
It is no surprise that software supply chain security is one of those priorities. The U.S. government was one of many victims of a supply chain attack on the SolarWinds Orion platform last year. The attack showcased weaknesses in the supply chain and the ability for one hack to claim several high-profile victims.
Under the executive order, that software will be more closely monitored. A baseline of security standards for development of software sold to the government will be established. That includes requiring developers to maintain a greater visibility into their software and making security data publicly available.
"The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors," the order stated. "There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended."
Additionally, software will be labeled so that the government can identify whether it was developed securely. According to the order, software, including critical applications, is often shipped with significant vulnerabilities that adversaries exploit. The government plans to use its purchasing power to drive the market to build security into all software from the ground up.
"This is a long-standing, well-known problem, but for too long we have kicked the can down the road," the White House said in an accompanying fact sheet on the order.
Another significant aspect of the order mandates investments in specific technologies like zero-trust networks and endpoint detection and response (EDR). For example, the order requires federal agencies to develop a zero-trust architecture plan within 60 days.
While zero-trust models can be challenging to implement, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), said they are imperative for the federal government. "We must transition zero trust from a buzzword to the baseline standard for network design and configuration," Wales said earlier this week during a Senate committee hearing on the SolarWinds attacks. "It won't be easy, smooth or cheap but the cost of not doing so is simply too high."
The executive order also mandates deployment of multifactor authentication and encryption for data at rest and in transit within 180 days, as well as accelerating movement to secure cloud services. "Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors," the fact sheet said.
One example was the Accellion data breach earlier this year that impacted both federal and state governments, along with private industry organizations in medical, legal, finance and other sectors. Attackers utilized a zero-day in Accellion's File Transfer Appliance product, a 20-year-old file-sharing application. While patches were released, the victim list only continued to grow. It showcased that even an outdated product nearing its end of life could be used in significant attacks.
Another example occurred earlier this year when a Chinese nation-state group exploited four zero-day vulnerabilities to attack on-premises versions of Microsoft Exchange Server. Though Microsoft released patches for the four zero-days, the tech giant warned that actors may have breached organizations prior to the security updates and maintained presence inside their servers. CISA issued an emergency directing urging enterprises to patch because the exploitation posed "an unacceptable risk to Federal Civilian Executive Branch agencies."
The White House said the executive order is "the first of many ambitious steps" the administration plans to take to modernize national cyberdefenses.