What President Biden’s executive order means for supply chain cybersecurity

RiskXchange is one of the firms leading the fight against cybercrime and uses data-driven insights to prevent supply chain data breaches. 

The Biden-Harris administration recently outlined actions to address supply chain disruption in America caused by the pandemic and to decrease reliance on other countries to focus on domestic production. By strengthening American supply chains, the White House felt that it would promote economic security, national security, and good-paying, union jobs at home. 

The current administration is also working hard to address critical cyber vulnerabilities to U.S. supply chains and critical infrastructure, including issuing the executive order behind “Improving the Nation’s Cyber Security”.  

A new task force was created to focus on supply chain cybersecurity and to tackle near-term bottlenecks in construction, transportation, semiconductor production and agriculture. The task force was led by Biden’s cabinet secretaries. 

Cabinet members were ordered to provide reports to the White House which were intended to address concerns about competition with China, supply chain resiliency and cybersecurity threats. 

The administration is taking immediate action to address vulnerabilities and strengthen resilience with the launch of a new effort aimed at addressing near-term supply chain disruptions. It is crafting strategies for six industrial bases that underpin America’s economic and national security, which will be completed within a year. The supply chain reviews reinforce the need for the transformative investments proposed in the president’s American jobs plan.   

Let’s take a closer look at the Biden administration’s cybersecurity plan: 

On May 12, 2021, President Biden signed an Executive Order titled “Improving the Nation’s Cyber Security” which was devised to do exactly what it states – improve the nation’s cybersecurity and protect federal government networks. The White House highlighted that recent cybersecurity incidents such as Microsoft Exchange, SolarWinds and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defences that leave public and private sector entities more vulnerable to incidents.  
 
This executive order makes a significant contribution toward modernising cybersecurity defences by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. It is the first of many ambitious steps the administration is taking to modernise national cyber defences.  

However, the Colonial Pipeline incident proved that federal action alone is not enough. Much of America’s domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. The White House encourages private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimising future incidents. 
 
According to a White House fact sheet, the executive order the president signed will remove barriers to threat information sharing between government and the private sector. The order also ensures that IT service providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact government networks is necessary to enable more effective defences of Federal departments, and to improve the nation’s cybersecurity as a whole. 

Improve Software Supply Chain Security 

The executive order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivise the market.  

It also creates a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely. Too much of America’s software, including critical software, is shipped with significant vulnerabilities that adversaries exploit. This is a long-standing, well-known problem. The order highlights the need to use the purchasing power of the Federal government to drive the market to build security into all software from the ground up. 
 
Modernise and Implement Stronger Cybersecurity Standards 

The order also helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government will lead the way and increase its adoption of security best practices, including employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multi factor authentication and encryption. 

 
Establishing a Cybersecurity Safety Review Board 

The order also establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyse what happened and make concrete recommendations for improving cybersecurity. Too often organisations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the administration and private sector need to ask the hard questions and make the necessary improvements. This board is modelled after the National Transportation Safety Board, which is used after airplane crashes and other incidents. 
 
Create a Standard Playbook for Responding to Cyber Incidents 

The order creates a standardised playbook and set of definitions for cyber incident response by federal departments and agencies. Organisations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts. 
 
Improve Detection of Cybersecurity Incidents on Federal Government Networks 

The order also improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organisation exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential. 
 
Improve Investigative and Remediation Capabilities 

Finally, the executive order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organisation’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem. 

Get in touch with RiskXchange to find out more about your cybersecurity needs. 

How RiskXchange can help  

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. 

With full visibility over your supply chain’s entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks.   

About RiskXchange 

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.  

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.  

Find out more here

Slide Click Here GET YOUR FREE ATTACK SURFACE REPORT Gain visibility into your attack surface and mitigate cyber risks in your digital ecosystem.