Biden’s Cybersecurity Executive Order Focuses on Supply Chain Attacks
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.”
So begins the May 12, 2021, Executive Order on Improving the Nation’s Cybersecurity released by President Biden and aimed at improving the US Federal Government’s cybersecurity posture. The executive order to protect federal networks and data came on the heels of two significant cyber attacks. The Colonial Pipeline ransomware attack shut down gas to much of the East Coast in the US for five days and reportedly cost the company USD 5 million to recover its stolen data. The SolarWinds supply chain attack was a Russian-backed attempt to commit cyber-espionage against the U.S. Federal Government and other high-profile targets.
The Impact of the Cybersecurity Executive Order
Though the executive order was expected, its language was much stronger than experts anticipated. This effort to bolster the US’s cybersecurity defenses places strict new standards on the security of any software sold to the Federal Government. It also sets up a Cybersecurity Safety Review Board, which could lead to a government rating of the security of software similar to a car’s safety rating. The bottom line is the US government is forcing software companies to practice better security hygiene or risk being shut out of federal contracts.
Reinforcing the message of the executive order, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology in the Biden administration, presented a keynote address at RSA Conference 2021. In her address, she stated, “Cybersecurity is a matter of national security,” and that “the stakes couldn’t be any higher.” She called out supply chain attacks as an area of particular concern. Neuberger also stressed the importance of shifting from a mindset of incident response to one of prevention as cybersecurity defenses are modernized.
The Biden administration is making cybersecurity a priority not only because of the impact of recent attacks on critical infrastructure, but also due to the staggering cost of these incidents, which is often passed on to consumers. According to Ponemon Institute’s Cost of a Data Breach Report 2020, the average cost of a data breach worldwide is USD 3.86 million. In the US, that number jumps to an astonishing USD 8.64 million. The Biden administration hopes that by mandating standards for the Federal Government, other smaller organizations such as schools, state and local governments, and small businesses will also benefit.
Key Highlights of the Cybersecurity Executive Order
The executive order outlined a number of key initiatives to combat the increasing sophistication of cyber attacks from both nation states and cyber criminals going forward. They include the following:
- Better sharing of threat information. Not only is cooperation between the government and private sector encouraged, but private providers’ contractual barriers are removed and they are now required to share with the government certain breach data that impacts federal networks.
- Modernizing cybersecurity standards for the Federal Government. The executive order helps move the Federal Government to secure cloud services and a zero-trust architecture. It also mandates the deployment of multifactor authentication and data encryption both at rest and in transit within the next six months.
- Improving software supply chain security. Supply chain security will be enhanced through the adoption of baseline security standards for the development of software sold to the government. This includes requiring developers to maintain greater visibility into their software and making security data publicly available.
- Establishing a Cybersecurity Safety Review Board. An incident review board made up of public and private sector leads has been established to glean lessons from major breaches. The SolarWinds hack will be the first incident to be reviewed.
- Creating a standard playbook for responding to cyber incidents. To further adopt the shift toward preparedness and prevention, federal agencies should not wait until they are hacked to determine how to handle a breach. A standard playbook ensures all federal agencies handle incidents using the same guidelines.
- Improving detection of cybersecurity incidents on federal networks. The Federal Government wants to lead cybersecurity by example by improving the ability to detect malicious activity on federal networks.
- Improving investigative and remediation capabilities. All federal agencies now have a cybersecurity event log requirement to help detect breaches, stop breaches in progress, and determine the extent of breach after the fact.
Enhancing Software Supply Chain Security
“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.”
Software supply chain attacks were one of the main focus areas of Biden’s executive order, which isn’t surprising given the far-reaching impact of the SolarWinds attack on the Federal Government.
Under the executive order, the US Department of Commerce’s National Institute of Standards and Technology (NIST) is tasked with publishing preliminary guidelines for enhancing supply chain security within 180 days. This includes defining criteria for evaluating secure software development environments as well as identifying innovative tools or methods that demonstrate conformance with secure practices. Final guidelines are due within a year.
The supply chain guidelines mandate identifying and using automated tools to maintain trusted source code supply chains that ensure the integrity of the code. The guidelines direct federal consumers to check for known or potential vulnerabilities and remediate them on a regular basis as well as to monitor the integrity and provenance of any open source software used within any portion of a software product. In addition, the guidelines also state that purchasers should be provided with a Software Bill of Materials – also known as an Inventory Report – for every software product.
How Mend Helps
Mend gives you the visibility into your software as required by Biden’s cybersecurity executive order so that you can develop better, more secure code. With Mend, developers and security professionals are given the tools to regularly scan code to identify and remediate known open source vulnerabilities. We also allow you to generate a detailed Inventory Report so that you can identify the components in your software and therefore understand the risks involved in using them.
Mend Supply Chain Defender is yet another tool in your secure supply chain arsenal. Supply Chain Defender is a multi-dimensional tool that scans packages and analyses their behaviors to help prevent supply chain attacks. It allows you to inspect changes in packages before they are allowed so you can control the entire process of open source dependency use.
Mend Supply Chain Defender was created to help protect open source users against software supply chain attacks and has already proven itself to be extremely effective at detecting and blocking attempts at malicious exploits. Mend Supply Chain Defender had already detected and reported hundreds of malicious packages that were swiftly removed from their registry to protect open source users from accidentally installing malicious code.
With known open source vulnerabilities constantly on the rise, you need an automated tool that gives you visibility and control over your software and helps you develop in a secure environment. Not only does using a tool like Mend make good sense, but it could be the difference between securing or losing a federal contract.
A New Era of Cybersecurity
The cybersecurity executive order will have a significant impact on the private sector. Biden is using the power of federal procurement to impel the software industry into creating more secure products. By leveraging the purchasing power of the Federal Government, Biden and his team are hoping that software companies will build security into all software from the ground up, which will have more far-reaching benefits than just for the Federal Government.
Much of the executive order focuses on increased transparency between the public and private sectors as well as adopting the best tools and practices for the job. The ultimate goal is to shift away from incident response to focus on prevention. By building a more secure Federal Government, Biden is hoping to build a more secure global software industry.
