with Aaron Schaffer

In the wake of yet another major cyberattack, the Biden administration unveiled a historic cybersecurity directive that officials hope will initiate major change in U.S. cybersecurity standards.

The directive outlines a number of measures to strengthen federal cybersecurity, including instilling more rigorous security requirements for software providers that contract with the federal government, improving reporting practices for cybersecurity incidents and requiring federal agencies to adopt better security practices.

“We simply cannot let waiting for the next incident to happen to be the status quo under which we operate," a White House official said. 

The executive order was developed in response to a sweeping months-long hacking campaign by Russia that infiltrated nine federal agencies using a vulnerability in a commonly used software from Texas company SolarWinds. The Biden administration has since been hit with two other major cybersecurity crises. In March, researchers uncovered that Chinese hackers exploited a Microsoft Exchange vulnerability to access thousands of affected servers including those belonging to U.S. businesses and local governments.

More recently, a cyberattack forced Colonial Pipeline, which provides almost half the fuel for the East Coast, to shut down its operations late Friday in a precautionary effort to stop hackers from accessing systems operating the pipeline. Officials have found no evidence that hackers accessed the pipeline's operational technology and the company resumed operations yesterday. However, the days-long shutdown spurred panic-buying at the pump and skyrocketing gas prices, creating a politically fraught situation for the Biden administration. 

Biden's executive order does not directly address pipeline security.  But officials hope that by leveraging its buying power, the federal government can force a shift in industry standards that will also benefit critical service providers as well as average consumers.

“Colonial fundamentally was an I.T. incident. And this executive order will make I.T. software more secure,” a senior official told reporters. “And because the U.S. government uses data software, any data software sold to the [United States] will have to meet the standards referenced in the executive order.”

Experts say that, if implemented to its full potential, the order could do just that.

"In so many areas of computer security, what the federal government does first, the private sector follows," Ari Schwartz, managing director of cybersecurity policy at Venable and a former Obama White House official, told Ellen Nakashima. "What the federal government is requiring here likely will become the standard for all software moving forward - not just in the United States but internationally."

The wave of cybersecurity crises threatening national and economic security also underscores the urgency.

"We know that cultural change takes time but what we have now is urgency that is understood by industry and government," said Kiersten Todt, managing director of the Cyber Readiness Institute. "We saw how not patching your network led to three block lines for getting gas in Virginia this morning."

The order gives the Commerce Department six months to publish preliminary guidelines for software security and final guidelines within a year. The guidelines will set standards for key security steps among federal agencies and contractors like scanning for vulnerabilities and ensuring up-to-date code.

As part of the new standards, federal agencies will be required to adopt new protocols such as tracking logs of activity to make incident response easier and using encryption.

The Department of Homeland Security will also play a key part in executing the order. In addition to refining standards for reporting cybersecurity incidents, DHS will help establish a Cyber Safety Review Board comprised of public and private sector stakeholders to review events and make safety recommendations. The board is modeled off the National Transportation Safety Board in an aim at doing for cybersecurity what investigations of car crashes did for vehicle safety. An inaugural board to review the SolarWinds hack and develop board practices has already been launched.

“As growing traffic accidents drew a focus on safety with built-In airbags and seatbelts, the growing number and impact of software security incidents has to be a basic design consideration,” the White House official said. “We [would] never buy a family minivan knowing it could have potentially fatal defects with the expectation of recalls or decide whether you want to install and pay for seat belts or airbags afterwards. Today, more than ever, cybersecurity is a national security imperative and an economic imperative.”

Experts and lawmakers expressed optimism about the order's potential. 

But administration officials acknowledge it alone won't fix the cybersecurity crises.

The White House official characterized the order as just a first step in a number of initiatives bringing together the public and private sector. The new standards could also serve as a jumping off point for Congress, where lawmakers have discussed legislation that would create mandatory incident sharing guidelines for all companies, not just government contractors.

“This executive order is a good first step, but executive orders can only go so far,” said Sen. Mark Warner (D-Va.), chairman of the Senate Select Committee on Intelligence. "Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.”

That includes ensuring that federal agencies are properly resourced for the transition. 

"Public-private partnerships are essential to enhance cybersecurity and ensure that systems are updated and configured to deal with current threats," Christopher D. Roberti, senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce said. “To continue this important work, Congress will need to provide federal agencies and law enforcement with resources to confront our adversaries in cyberspace and bring them to justice. Strategy without resources is just rhetoric.”

Chat room

Former Cybersecurity and Infrastructure Agency director Chris Krebs praised the executive order:

Dmitri Alperovitch, the executive chairman of the Silverado Policy Accelerator, said it would move government cybersecurity in the right direction:

HashiCorp co-founder Armon Dadgar said the zero-trust elements of the order are a “big nudge”:

Brett Winterford, Okta's senior director of cybersecurity strategy:

Mandiant's Andrew Thompson:

The keys

The United Kingdom’s top diplomat blasted Russia for not prosecuting cyber criminals.

Foreign Secretary Dominic Raab said that Moscow has a responsibility to prosecute cybercriminals. His statement was condemned by Russia’s embassy in London, which called it “propaganda and disinformation.”

Raab also announced 22 million pounds ($31 million) in funding to boost cyber capacity-building and incident response in developing countries and around the world, including in Africa and the Indo-Pacific. As part of the investment, the United Kingdom and Interpol will set up a cyber hub in Africa.

“We have got to win hearts and minds across the world for our positive vision of cyberspace as a free space, open to all responsible users and there for the benefit of the whole world,” he said. “And frankly, we’ve got to prevent China, Russia and others from filling the multilateral vacuum.”

The Biden administration has also made a push for global cooperation in punishing countries that host cybercriminals with impunity.

The FBI warned that hackers are using ads on search engines to trick people into handing over their banking information.

The FBI said in an alert that the campaigns have caused “hundreds of thousands of dollars in financial losses,” the Record’s Catalin Cimpanu reports. A hacking group placed malicious search engine ads masquerading as a U.S. financial institution and also relied on a malicious site showing up in search engine results.

People who entered information on the site would get a phone call from a hacker claiming to represent the financial institution. At the same time, an associate would take money out of the victim’s accounts, according to the FBI alert.

Leaked emails from a law firm hired by the city of Chicago are causing headaches for officials.

The emails, which were sent by current and former employees of the city, were stolen by hackers who breached a file-sharing system used by Jones Day, a law firm working for the city, Reuters’s David Thomas reports. The emails reveal the inner workings of the Chicago mayor’s office and police department, including details about a drone program and how the city investigates fatal police shootings.

“I think the big thing people should take away and why they’re newsworthy, they shine the light on interactions the public would never see,” said Freddy Martinez, the executive director of Lucy Parsons Labs and a member of the board of Distributed Denial of Secrets. The two groups released the emails.

A Chicago law department spokeswoman said that the city will not respond to any media inquiries stemming from information obtained through ransomware attack. Chicago Mayor Lori Lightfoot said this week that the city and Jones Day refused to pay ransoms to the hackers who stole the emails.

Hill happenings

A Senate committee advanced cybersecurity bills that would boost the cyber workforce and authorize funding to respond to hacks.

The Senate Homeland Security and Governmental Affairs Committee advanced bills that would set up a $20 million fund for responding to cyber incidents; create a rotational cyber workforce program; develop a process and strategy for identifying risks to critical infrastructure; direct U.S. government officials to develop guidelines for U.S. government employees to uninstall TikTok from devices; and ban the U.S. government from buying drones from Chinese companies.

Cyber insecurity

Encryption wars

Daybook

  • Sen. Thom Tillis (R-N.C.), former Google CEO Eric Schmidt and Gilman Louie, who ran the CIA’s In-Q-Tel venture capital fund, discuss artificial intelligence at a Center for Strategic and International Studies event today 3 p.m.
  • Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, testifies before a House Armed Services Committee panel along with deputy assistant secretary of defense for cyber policy Mieke Eoyang on Friday at 11 a.m.
  • Steve Luczynski, who leads CISA’s coronavirus task force, speaks at 4:15 p.m. on May 17, the first day of the RSA Conference.
  • The Homeland Security and Governmental Affairs Committee holds a hearing on the Department of Homeland Security’s intelligence and analysis office on May 18 at 10 a.m.
  • Deputy national security adviser for cyber and emerging technologies Anne Neuberger speaks at the RSA Conference at 11:45 a.m. on May 18.
  • The Senate Armed Services Committee’s cyber panel holds a hearing on the cybersecurity of the industrial base on May 18 at 2:30 p.m. 
  • SolarWinds president and CEO Sudhakar Ramakrishna speaks at the RSA Conference at 11:50 a.m. on May 19.
  • The House Armed Services Committee’s cyber subcommittee holds a hearing on President Biden’s budget request for Defense Department technology programs on May 20 at 11 a.m.
  • Col. Jeff Erickson, the director of the Army Cyber Institute, speaks at an event hosted by the Information Systems Security Association Northern Virginia Chapter on May 20 at 6 p.m.

Secure log off