The Biden Administration is zeroing in on cybersecurity. In the wake of a high-profile wave of cyberattacks, including the SolarWinds supply chain attack and the more recent Colonial Pipeline ransomware attack, President Biden has issued an Executive Order (“EO”) designed to strengthen the federal government’s cybersecurity defenses. And for good reason. The SolarWinds supply chain attack in particular raises significant national security concerns, as hackers were able to access several federal agencies, including the United States Departments of Homeland Security, Defense, State, Treasury, and Commerce’s National Telecommunications and Information Administration. Issued on May 12, 2021, the EO seeks to prevent similar cyber-attacks by directing federal agencies to make a series of changes in how they approach cybersecurity. While the EO is necessarily limited in what it can do—it cannot, for example, make more sweeping reforms such as amending the woefully outdated Computer Fraud and Abuse Act used to prosecute hackers—it is a significant step. Here are the main highlights.
First, in a move reminiscent of the structural reforms made after 9/11, the EO aims to make it easier for federal agencies to share threat information. Currently, third-party IT providers that service federal agencies are limited by contract in their ability to share threat information with other agencies, including those in the Intelligence Community like the FBI. (The EO uses the definition of “Intelligence Community” provided in 50 U.S.C. § 3003(4).) The EO calls for new contractual language that will obligate service providers not only to collect and preserve data relating to cybersecurity, but also to report cybersecurity incidents and share that data with the relevant Intelligence Community agencies.
Second, the EO seeks to modernize the federal government’s cybersecurity infrastructure. Among other things, it calls for federal agencies to advance towards “Zero Trust Architecture,” which is a model of network design that limits the ability of internal users to access data. This helps prevent bad actors who hack one user from infiltrating the entire network. The EO also requires federal agencies to migrate to secure cloud services and to adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent possible.
Third, and no doubt in response to the SolarWinds attack, the EO directs the Secretary of Commerce to issue guidance designed to enhance the security of the software supply chain. The guidance will include, for example, standards for periodically checking software products for vulnerabilities, which must be “at a minimum prior to product, version, or update release.” The EO also calls for the creation of contractual language that will obligate software developers that sell products to federal agencies to comply with this guidance. As noted in the Administration’s press release, it is hoped that these guidelines will set a benchmark for best practices in the private sector.
Fourth, the EO directs the Secretary of Homeland Security to establish a “Cyber Safety Review Board.” The Board will “review and assess” significant cybersecurity incidents and provide recommendations to the Secretary of Homeland Security for “improving cybersecurity and incident response practices.” The EO also specifies that the Board’s first review should be of the SolarWinds incident, underscoring yet again the influence of the recent attacks.
As for the make-up of the Board, no announcements have yet been made. The EO states that the Board will be composed of representatives from the various federal agencies, including the Departments of Defense, Justice, CISA, NSA, and the FBI, as well as representatives from private-sector entities, “as determined by the Secretary of Homeland Security.” The Secretary may also appoint other officials on a case-by-case basis. Though it remains to be seen, one potential pick could be Chris Inglis, who President Biden nominated earlier this year to be the first national cybersecurity director and has been described as the Administration’s cybersecurity “czar.”
Fifth, the EO lays out a plan to create a cybersecurity “playbook,” which will be used to standardize incident responses across federal agencies. One challenge with this aspect of the EO, of course, will be designing a one-size-fits-all playbook applicable to all federal agencies despite their variety.
Sixth, the EO directs the Federal Civilian Executive Branch agencies (that is, all agencies except for the Department of Defense and agencies in the Intelligence Community) to develop programs to increase “visibility into and detection of cybersecurity vulnerabilities and threats to agency networks.” In a similar vein, the EO also directs the Secretary of Homeland Security to release guidance regarding “logging, log retention, and log management,” in an effort to facilitate investigation and remediation of cyber incidents.
President Biden’s EO sets out a comprehensive plan for strengthening the federal government’s ability to defend its networks from the ever-growing threat of cyberattacks. These are welcome initiatives. Obviously, the EO does not, and cannot, update the Computer Fraud and Abuse Act or standardize what is currently a patchwork of inconsistent and often confusing state data privacy laws. Any progress on those projects will require legislative action. But it signals that the Administration is taking the nation’s cybersecurity challenges seriously, and may foreshadow an effort to prod Congress to take on some of these more sweeping reforms. We will keep you updated.
