Breaking News Today

Biden orders federal cyber upgrade after barrage of hacks

Published: (Updated: ) in USA news by .

The far-reaching directive is an attempt to close longstanding gaps in the government’s ability to block and investigate hacks.


President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government’s approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government.

The executive order, which has been in development for months, addresses federal computer networks — not the critical infrastructure operated by private companies such as Colonial Pipeline, which suffered a major ransomware attack that led to hoarding and gasoline shortages throughout the eastern U.S. But some of the directive’s provisions could also influence how the Biden administration works to secure the United States' poorly protected infrastructure facilities.

Biden’s order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enable multi-factor authentication, an extra security step that forces users to enter a randomly generated code after typing in their password. It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government’s response to cyberattacks.

And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.



The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow’s SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies.

“Today's executive order makes a down-payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely,” a senior administration official told reporters. “It reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security.”

READ:  Hey, Gen Z. Let’s talk about 2020.

New requirements for agencies

Many of the executive order’s provisions focus on hardening federal computer networks against the most common types of cyberattacks. In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another.

The order also launches a modernization of FedRAMP, the government’s marketplace for cloud computing services such as Amazon Web Services, to better incorporate security requirements. And it calls for the creation of a new federal cloud security strategy, along with guidance for how agencies can safely move data to the cloud.

Holding vendors to a higher standard

In addition to federal shortcomings, the SolarWinds crisis also highlighted the extent to which the government and other customers rely on their suppliers — and especially their software vendors — to protect their own systems from being hacked and turned into launching pads for widespread attacks.

The failure of Austin-based SolarWinds to protect its product development systems essentially turned its early 2020 software updates into superspreader events, seeding customers’ computers with malware that the hackers used to gain a foothold and burrow deeper into victims’ networks. Although the hackers breached some victims without going through SolarWinds’ software, the incident demonstrates how damaging a supply chain attack can be.

Biden’s executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion, and agency contracts will contain standard security provisions no matter what agency issues them.

READ:  Putin: Relationship with U.S. has ‘deteriorated to its lowest point’ in years

The information-sharing requirement represents a major step forward. Despite its vast foreign intelligence collection capabilities, the government depends heavily on information from U.S. companies to understand the extent of ongoing attacks, predict future risks and advise its private-sector partners. But legal and reputational concerns sometimes discourage companies from calling the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency or the FBI when they suffer data breaches.

The executive order is particularly focused on software security. It requires OMB to issue a new policy restricting agencies’ use of old, unsupported software, and it calls for new security requirements for software companies that sell to the government, including that they publish data from periodic vulnerability scans. The order also creates a pilot program to test the concept of Energy Star–esque security labels for internet of things devices such as smart watches.

The directive also seeks to encourage the use of a software bill of materials, essentially an ingredient list for software that helps customers understand what kind of code is in the products they’re buying. The Commerce Department’s National Telecommunications and Information Administration has been working with industry to refine the SBOM concept for almost three years.

In the past, Washington has been reluctant to directly regulate the security standards that hardware or software vendors must meet to sell their products in the U.S. The furthest that Congress has gone is requiring IoT makers to meet minimum standards when selling to the federal government.

Better teamwork after a hack

While new network protections and contractor regulations will prevent many basic attacks, the Biden administration also wants to improve the process that kicks into gear when a hack succeeds.

READ:  Trump predicts this year will bring the 'greatest election disaster in history'

At the forefront of this effort will be the new Cybersecurity Safety Review Board, co-led by DHS and a private-sector representative and including the departments of Defense and Justice and the NSA. Much like the NTSB, the cyber board will examine incidents after they conclude and produce reports on the lessons learned. The board’s first task will be to examine SolarWinds, the senior administration official said.

The order also directs CISA to create “playbooks” that turn lessons from past cyber incidents into advice for managing future ones. OMB is tasked with issuing detailed implementation guidance for the CISA playbooks.

A major part of any incident response effort is reviewing network activity logs, which provide information about how hackers entered and moved around a network, what data they accessed and how they transferred it to their own servers.

The SolarWinds intrusions, in which the hackers hopped onto agencies’ Microsoft email servers, raised questions on Capitol Hill about why Microsoft charges extra money for full access to those servers’ logs, a feature that one congressional aide compared to an airplane’s black box. (In April, the tech giant agreed to waive those fees for its federal customers for one year.)

But just having access to these logs isn’t enough to detect hacks; agencies have to properly maintain and review them. Biden’s order requires the administration to issue a government-wide policy on logging and directs OMB to issue specific guidance for complying with that policy.


Source: Politics, Policy, Political News Top Stories https://www.politico.com/news/2021/05/12/biden-federal-cyber-upgrade-hacks-487731

Shares
Share This
Finance Advice 2021