President Joe Biden on Wednesday signed an executive order that will significantly tighten cybersecurity rules for government contractors and set up an incident review board to try to blunt the impact of major hacks.
The directive comes as the U.S. government continues to grapple with the fallout from breaches at key software suppliers and the disruption of a national pipeline operator by ransomware.
The executive order requires federal contractors to promptly report cyber incidents to agencies, and it establishes a new government entity modeled after the National Transportation Safety Board to review major breaches. It will also require software that the government buys to meet a baseline set of security standards — an effort to make it harder for hackers to tamper with code that ends up on federal networks.
“The current market development of build, sell and maybe patch later means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure,” a senior Biden administration official told reporters Wednesday. “The cost of the continuing status quo is simply unacceptable.”
The directive follows the months-long infiltration of U.S. government networks by alleged Russian spies through the exploitation of software made by contractor SolarWinds. U.S. businesses and local governments also have been rendered vulnerable by flaws in Microsoft software thought to be exploited by Chinese hackers. The hacks have spurred congressional investigations, and led senior U.S. officials to admit that U.S. network defenses were inadequate.
The new executive order aims to raise agencies’ defenses by mandating within months that they use multi-factor authentication, strong data encryption and store computer logs to recover from hacks more swiftly.
The executive order was partly borne out of a frustration from U.S. officials that companies that do business with the government weren’t forthcoming enough about getting hacked. The order goes as far as the executive branch can on that issue without a new breach notification law passed through Congress, the senior administration official said.
“It’s hard to learn from each incident and ensure that broadly government and companies have information to protect themselves,” the official added.
Ari Schwartz, a former senior cybersecurity official in the Obama White House, welcomed the new directive.
“This is really a comprehensive effort to learn from the gaps that allowed the SolarWinds incident to occur in the U.S. government,”said Schwartz, who is now managing director of cybersecurity services at law firm Venable. “It is broad enough that it will also have some impact on protecting critical infrastructure and other organizations including improving software standards.”
The executive order has been in the works for weeks, but the ransomware attack last week on the IT networks of Colonial Pipeline, which transports 45% of the fuel consumed on the East Coast, has made cybersecurity a more tangible issue for many Americans.
The attack on Colonial Pipeline’s computer servers ground the company’s operations to a halt. Energy Secretary Jennifer Granholm has addressed concerns about gas stations running out of fuel in multiple states, and the Environmental Protection Agency has issued “an emergency fuel waiver to help alleviate fuel shortages” in states affected by the pipeline shutdown.
In a statement Wednesday evening, Colonial Pipeline said it had “initiated the restart of pipeline operations” at around 5 pm Eastern Time. “Following this restart, it will take several days for the product delivery supply chain to return to normal,” the statement said.
“Colonial fundamentally was an IT incident, and this executive order would make IT software more secure,” the senior administration official said Wednesday.
In the wake of the incident, which the FBI has blamed on a Russian-speaking cybercrime syndicate, lawmakers have asked the Biden administration to step up its cybersecurity support for pipelines. The chairman of the Federal Energy Regulatory Commission has called for mandatory cybersecurity standards for pipeline operators.
“Any company so vital to our economy that a cyberattack can disrupt the lives of millions of Americans, should be regularly audited by the government, so that our adversaries are not the first ones to discover cybersecurity weaknesses,” Sen. Ron Wyden, D-Ore., said in a statement Wednesday.
The string of high profile hacking incidents has prompted Biden to spend more time on cybersecurity policy in his first 100 days than perhaps any other U.S. president. Biden has blamed Russian intelligence operatives for the campaign that exploited SolarWinds software, and his Treasury Department has sanctioned multiple Russian technology firms for allegedly aiding Moscow’s espionage.
The president has also condemned the ransomware attack on Colonial Pipeline, saying it was carried out by cybercriminals who were at least partly based in Russia. The Russian government, he added, has a responsibility to restrain criminals operating on Russian soil.
The executive order presents a comprehensive set of actions for the federal government to improve the cybersecurity of its networks, but one technology lobbyist who works on cybersecurity said the execution will be key — and could prove difficult.
“Everything that’s in here has been talked about for years. The next steps in terms of implementation and follow through will be absolutely critical,” said Andrew Howell of Monument Advocacy. “It’s great that we have the order. Now they’ve got to do it. That’s always the hard work in this space.”
Agencies also will need to examine whether they have the money and personnel to deliver on the executive order’s tasks, for instance, which could require further White House action, Howell said. Agencies will likely need to write new regulations stemming from this executive order, he added, and then weigh whether those policies are too important to allow for a full period of public feedback.
It’s the type of process that might impact technology companies that deal with the federal government.
“That will have implications in terms of private sector tech companies having to change dramatically for federal government purposes,” Howell said.
Tim Starks contributed to this story.