President Biden has signed a new executive order that he hopes will improve cybersecurity for Americans and protect federal government networks from attacks like the recent Colonial Pipeline incident.
Biden said malicious cyber activities -- like network hacks, phishing, and data thefts -- have gone too far and that the U.S. cyber defense systems are insufficient, making both the public and private sectors more vulnerable to incidents.
“These incidents share a few things in common. First, a laissez-faire attitude towards cybersecurity,” commented a senior White House official in announcing the order. “For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort, and money. And instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let ‘waiting for the next incident to happen’ to be the status quo under which we operate.”
Starting at the top
The Colonial Pipeline incident wasn’t pegged as the breaking point that created the new order. It -- along with the SolarWinds and Microsoft Exchange incidents -- proved that U.S. cybersecurity was in a world of hurt. To prevent skirmishes like that in the future, the White House’s goals will start at the top of the digital food chain with the intent of creating a “zero-trust environment.”
Internet service providers, network security systems, and other top-level segments are being asked to deploy measures like multi-factor authentication, encryption, endpoint detection response, and logging to keep bad actors at bay. They’re also being asked to share their attacks with their peers so an all-for-one, one-for-all community can be nurtured. The second layer of the Biden administration’s plan deals with improving the security of commercial software by establishing baseline security requirements based on industry best practices.
“We wouldn’t build a building in an earthquake-prone zone without building standards,” the White House official said. “And we need standards for how we build software securely.”
Tighter controls on software development
To that end, the U.S. is kickstarting a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely.
“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road,” the White House said in a statement.
However, the official warned that this move alone isn’t the answer. “This will be the first of many ambitious steps the public and private sector must and will take together to safeguard our economy, security, and the services on which the American way of life relies,” they said.