New Cybersecurity Executive Order Seeks to Improve Trust Through Verification

President Joe Biden issued a new executive order last week to raise cybersecurity requirements for federal contractors and bolster the cybersecurity of federal networks. While the executive order will better protect the nation from increasingly significant cyberattacks, the order’s policy changes are just the first steps needed to better secure public and private computer networks.

In the past six months, the United States has been hit hard by cyberattacks, including the SolarWinds hack, an expansive espionage campaign that exploited supply chain vulnerabilities to insert a remote-access backdoor and steal information from thousands of companies; the Florida water plant breach, which demonstrated the alarming vulnerability of U.S. water infrastructure; and now the Colonial Pipeline hack, which resulted in the entire East Coast scrambling to buy what gas was still available. Each attack highlighted existing gaps in U.S cyber policies.

The new executive order would mandate that software purchasers receive a formal record of details, known as a Software Bill of Materials (SBOM), identifying the reused and nested-component software within the products purchased, to ensure the buyers know what their purchases include. Implementing SBOM requirements for contractors and federal acquisitions will enable the federal government to more accurately and efficiently understand and manage the inherent risks from its supply chains.

The executive order also calls for the heads of several federal agencies to review existing cyber-breach reporting requirements for federal contractors under the Federal Acquisition Regulation. This review would expedite government-wide situational awareness of emerging cyberattacks and any associated ripple effects, while enabling swift response and remediation.

Incorporating SBOM requirements and improved breach-notification establishes a baseline of provenance and response that has been lacking in cybersecurity initiatives. However, the Biden administration’s policies focus only on strengthening the security efforts of the federal government and its contractors.

In a briefing call, a senior official in the Biden administration noted that the administration has “pushed the authority as far as we could,” and that congressional action is needed for extending cybersecurity reporting requirements beyond federal contractors to include other relevant stakeholders that backstop the U.S. economy and national security. This assertion is absolutely correct, and the Cyberspace Solarium Commission’s recommendation for the development of a national breach-notification law provides Congress with a blueprint for the type of expanded legislative authority the Biden administration is requesting. This national breach-notification legislation would also help public- and private-sector organizations leverage the lessons learned from all victims of cyberattacks.

The newly signed executive order hits the nail on the head when it says, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments to defend the vital institutions that underpin the American way of life.” The government’s existing formula of using yesterday’s intelligence to protect today’s systems from tomorrow’s threats has not been working.

Georgianna Shea is chief technologist of the Transformative Cyber Innovation Lab (TCIL) and Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. For more analysis from Georgianna, Trevor, TCIL, and CCTI, please subscribe HERE. Follow Trevor on Twitter @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.