On Saturday, Colonial Pipeline acknowledged that it had fallen victim to a ransomware attack that led it to shut down — the biggest known cyberattack on the U.S. energy sector. The attack has led to long lines at the pump in some parts of the southeastern United States.
On Wednesday, the company announced it was restarting operations.
The executive order does not specifically address critical infrastructure such as oil and gas pipelines. But it directs the Commerce Department to craft cybersecurity standards for companies that sell software services to the federal government — a move that officials say they hope will ripple across the private sector nationally and globally and improve cybersecurity for critical systems, too.
“The Colonial Pipeline incident is a reminder that federal action alone is not enough,” the White House said in a statement. The critical systems that deliver water and power are owned by the private sector, a senior administration official said.
“We simply cannot let waiting for the next incident to happen to be the status quo under which we operate,” said the official, who spoke on the condition of anonymity under ground rules set by the White House.
The order also directs agencies to move toward a digital security approach that stresses authenticating users based on behavior rather than just a password or their location. It would use multiple ways to confirm identity and detect cyber threats through anomalous behavior rather than depending primarily on firewalls to keep hackers out.
The 34-page document — unusually long for an executive order — calls for the reporting of severe cyber incidents within three days, the creation of a board to review significant incidents, the removal of contractual barriers to reporting federal agency breaches, and strengthening a program that allows a federal agency to test a product’s security before it is sold to the government. It also makes clear that contractors are required to report incidents at federal agencies to the Office of Management and Budget and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
“It’s the most ambitious cybersecurity effort from an administration in decades,” said Ari Schwartz, who was a White House cyber official in the Obama administration.
Analysts said the order will have significant implications for the private sector.
“In so many areas of computer security, what the federal government does first, the private sector follows,” said Schwartz, managing director of cybersecurity policy at Venable, a law firm. “What the federal government is requiring here likely will become the standard for all software moving forward — not just in the United States but internationally.”
The order was drawn up in the aftermath of the Russian compromise, named SolarWinds after a software company whose product was tainted by hackers who then used the software to gain a foothold in federal agencies and private-sector targets. That is known as a “supply chain” attack.
The order calls for the Commerce Department’s National Institute of Standards and Technology (NIST) to publish preliminary guidelines within six months for software supply-chain security, and final guidelines within a year. The guidance should include how to check for vulnerabilities, how to find evidence of flaws, ensuring up-to-date provenance of source code, and instructions for using automated tools to validate trusted source code, among other things.
NIST must also define “critical software” and require agencies to adopt security measures for such software. The order gives top officials, including the secretary of homeland security and the secretary of defense, one year to draft language that will eventually bind civilian and military contractors through acquisition rules to conform to these standards.
The government, the senior official said, is “trying to shape the software market using the power of federal procurement.”
CISA already is the lead agency for coordinating cybersecurity across civilian agencies. The order expands its responsibilities to include devising frameworks for cloud security and for improved information-sharing. Many agencies will be required to report their compliance with the new requirements to CISA.
Setting software security standards, said Phil Venables, Google Cloud’s chief information security officer, “is going to be the most significant thing over time because it’s going to the heart of government’s biggest cybersecurity challenge: the need for information technology modernization and diversification.”
He said this is “one of the measures that will have the most impact, but may be the hardest to implement.” But it is “critical,” he said, “to defend against where attackers are and will increasingly be focused.”
The order is intended to push the software industry away from a model of selling first and patching later. That approach has resulted in customers, including the government, unwittingly installing software with significant vulnerabilities, the official said.
“We never buy a family minivan knowing it could have potentially fatal defects with the expectation of recalls or decide whether you want to install and pay for seat belts or air bags afterwards,” the official said. “Today, more than ever, cybersecurity is a national security imperative and an economic imperative.’’
Tonya Riley contributed to this report.