Biden's cyber order lays foundation for securing government

The Biden administration’s long-anticipated cybersecurity executive order lays the groundwork for modernizing cyber defenses and protecting critical services from attack by improving incident response and information sharing between the public and private sectors.

The spate of recent high-profile attacks is a “sobering reminder” about how vulnerable public- and private-sector entities are to cyberattacks, according to a senior White House official, adding that the new EO represents a “fundamental shift in our mindset” from incident response to prevention.

It mandates several basic cybersecurity practices across the federal government such as multi-factor authentication, encryption and end point detection to be rolled out in as quickly as six months.

“The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption,” according to a White House statement.

The order also mandates contractors notify the government if their networks are breached and share specific details about the incident. The administration official said the Cybersecurity and Infrastructure Security Agency (CISA) will play a major role in helping flesh out what details will be required for disclosures.

The order also establishes a “Cybersecurity Safety Review Board,” similar to the National Transportation and Safety Board, a suggestion that lawmakers and industry have been recommending. Those calls were renewed by senators such as Mark Warner (D-Va.) following the supply chain attack on SolarWinds.

After the EO was published, the senator said the recent attacks highlighted what has “become increasingly obvious” over the past few years. “The United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage,” he said. “This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities.”

The board’s first task will be to review and report on the hacking campaign against SolarWinds, according to the administration official. It will be convened after each cybersecurity incident by the Department of Homeland Security and co-chaired by the DHS secretary alongside a private sector leader who is knowledgeable about the relevant issues.

The administration is also directing the National Institute of Standards and Technology to begin developing a labeling system for internet-of-things devices to help consumers make smarter buying decisions, similar to a system already in place in Singapore.

“The Administration's new Cybersecurity Executive Order lays out an ambitious & achievable workplan to dramatically improve the security of US govt networks by using the power of the purse,“ Chris Krebs, the former CISA chief, tweeted on Wednesday.

This article was first posted to FCW, a sibling site to Defense Systems.