The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Industry groups express cautious optimism about Biden's executive order on software standards

Placeholder while article actions load

with Aaron Schaffer

Industry is cautiously welcoming the Biden administration's recent executive order mandating new software security requirements for companies that contract with the federal government.

Companies say the standards outlined in the order could bring much needed clarity to a confusing patchwork of existing federal cybersecurity standards

In my view this is the first time the government has been extremely eager and ready and so is the private sector at the same juncture, says Accenture global cybersecurity lead Kelly Bissell. So the stars are aligned.

Bhavesh Vadhani, national director of advisory firm CohnReznick's cybersecurity, technology and privacy practice agreed.

Many practitioners have advocated for having a standardized framework, he said. I think overall the private sector and federal agencies will benefit from having a standardized framework.

But industry groups that spoke with The Cybersecurity 202 had a common refrain: the devil is in the details. 

The administration has created a tall order in defining security requirements for federal agencies and their software providers. And until those details are fleshed out, it's hard to say if the executive order will move the industry in the right direction and make things safer for everyone.

I would say industry likes clarity … but industry also likes quality so if what comes out of it is overly broad and creates more signal than noise there's a little tension there, says Henry Young, policy director at BSA software alliance. "What we want is focused but also clear rather than very broad.

The executive order, released earlier this month, outlines a number of measures to strengthen federal cybersecurity standards, including instilling more rigorous security requirements for software providers that contract with the federal government, improving reporting practices for cybersecurity incidents and requiring federal agencies to adopt better security practices.

It was developed in response to a sweeping months-long hacking campaign by Russia that infiltrated nine federal agencies using a vulnerability in a commonly used software from Texas company SolarWinds. The Biden administration has since been hit with two other major cybersecurity crises. In March, researchers uncovered that Chinese hackers exploited a Microsoft Exchange vulnerability to access thousands of affected servers including those belonging to U.S. businesses and local governments. Earlier this month a cyberattack forced a major fuel pipeline to shut down operations for several days

Trade group representatives expressed some concerns about the tight timelines outlined in the order.

The order gives the Commerce Department 90 days to issue preliminary guidelines on a number of software supply chain security matters, including requirements for companies listing components of their software. Such a task can be complicated due to the open-sourced nature of many components, experts say. If a requirement is rolled out before companies are able to adequately meet it, it could lead to the government granting waivers.

That could undermine the value of the standard, says Mike Bergman vice president, technology and standards at the Consumer Technology Association.

While the timeline is ambitious, it's better than continuing to ignore the pressing security problems facing the United States, experts say.

“We need to take some action to deal with these problems because if we don't we will be kicking them down the road and we will be in the same boat 20 years from now,” says Christopher Roberti, senior vice president for cyber at the U.S. Chamber of Commerce.

Industry groups stressed the need for the government to include the private sector in ongoing discussions about standards.

We think that the private sector is stepping up in a good way so we would just urge the administration to work with the private sector and consult with us as much as possible, said Jamie Susskind, vice president of policy and regulatory affairs at CTA.

Note to readers: Today is my last day writing The Cybersecurity 202. Your regular anchor Joseph Marks will return tomorrow. Thank you for reading these past few months. Please follow me on Twitter @tonyajoriley to see what's next.

The keys

The CEO of Colonial Pipeline said paying a $4.4 million ransom to hackers was “the right thing to do for the country.”

Joseph Blount, the company’s top executive, told the Wall Street Journal that the payment was necessary because Colonial’s infrastructure is essential, Jacob Bogage writes. Blount said he made the decision to pay the ransom almost immediately.

“I know that’s a highly controversial decision,” Blount said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

The FBI discourages companies from paying hacking ransoms because it believes such payments will incentivize further criminal behavior. DarkSide, a Russia-based hacking group, has been linked to the breach of the pipeline company, which supplies the East Coast with 45 percent of its fuel.

Energy Secretary Jennifer Granholm told lawmakers that pipeline security is “inadequate.”

Granholm, who testified before the House Energy and Commerce Committee, said she was open to mandatory standards for pipelines in the wake of the hack of Colonial Pipeline, the Hill’s Maggie Miller and Rachel Frazin report

“If we had had standards in place, would this particular ransomware attack have been able to happen?” Granholm said. “You know, I’m not 100 percent sure.”

The committee’s chairman, Rep. Frank Pallone Jr. (D-N.J.), threw his weight behind “mandatory, enforceable reliability standards for our nation’s pipeline network.” U.S. energy regulators last week also called for mandatory standards.

The CEO of SolarWinds said hackers were looking at the company as early as January 2019.

Chief executive Sudhakar Ramakrishna said hackers were doing early reconnaissance nearly two years before the attack was discovered by cybersecurity firm FireEye, CyberScoop’s Tim Starks reports. The U.S. government has said Russia was behind the attack. Russia’s foreign intelligence agency has denied the accusations.

Ramakrishna also expressed regret for blaming a company intern for their use of a weak password, “solarwinds123,” at a February hearing on Capitol Hill.

“What happened at the congressional hearings where we attributed it to an intern was not appropriate, and was not what we are about or is not what we are about,” he said. “We have learned from that and I want to reset it here by saying that we are a very safe environment, and we want to attract and retain the best talent.”

Government scan

U.S. government denies disrupting Russian ransomware ring that hacked Colonial Pipeline (Ellen Nakashima)

Hill happenings

Trade groups called for congressional appropriators to allocate $750 million more to CISA.

The funding would “materially improve CISA’s ability to meet its critical cybersecurity mission,” the groups said. They also said lawmakers should continue to increase the budget allocation for defense going to the Cybersecurity and Infrastructure Security Agency to $5 billion over the next decade, if not sooner. Signatories of the letter included the Alliance for Digital Innovation, CompTIA, the Cybersecurity Coalition, ITI and the Internet Association.

Securing the ballot

Inspired by Arizona recount, Trump loyalists push to revisit election results in communities around the country (Amy Gardner and Rosalind S. Helderman)

Industry report

Apple’s Craig Federighi throws Mac security under the bus (Protocol)

Daybook

  • The House Armed Services Committee’s cyber subcommittee holds a hearing on President Biden’s budget request for Defense Department technology programs today at 11 a.m.
  • The House Veterans’ Affairs Committee’s technology subcommittee holds a hearing on cybersecurity today at noon.
  • Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) speaks at a workshop hosted by the USC Election Cybersecurity Initiative today at 1:30 p.m.
  • Col. Jeff Erickson, the director of the Army Cyber Institute, speaks at an event hosted by the Information Systems Security Association Northern Virginia Chapter today at 6 p.m.
  • Former undersecretary of defense for policy Michèle Flournoy, the co-founder of WestExec Advisors, speaks at the Institute for Security and Technology’s Strat-Tech conference at 2:10 p.m. on May 25.  
  • Homeland Security Secretary Alejandro Mayorkas testifies before a Senate Appropriations Committee panel on Biden’s budget request at 2 p.m. on May 26.

Cypurr 202

I asked for pics of your cyber pets and you delivered. Below are some of my top picks but you can see the full thread of submissions here.

Loading...