In Wake Of Pipeline Hack, Biden Signs Executive Order On Cybersecurity
President Biden signed an executive order Wednesday boosting America's cyberdefenses following a ransomware attack on a company that operates a pipeline that provides nearly half of the gasoline and jet fuel for the country's East Coast.
The broad order, which the administration had been working on for months, aims to strengthen cybersecurity for federal networks and outline new security standards for commercial software used by both business and the public.
"Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals," the White House fact sheet says.
In a briefing with reporters Wednesday, a senior Biden administration official said that the order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security."
As NPR first reported last month, the order lays out a series of new requirements for companies that do business with the federal government.
The administration's goal is not only to boost federal defenses but also to use the purchasing power of the government to get those higher standards to trickle down to the private sector.
The administration also wants to pilot a program like those Energy Star ratings on appliances so consumers know if software was developed securely.
"We see small companies being forced to pay a ransom to get their business back up and running," Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House, told NPR's Dina Temple-Raston in a recent interview. "You know, we see school systems' networks down due to criminals. So those risks touch everyday Americans' lives, as well as at the national level."
Biden's order requires companies to report certain information about cyberbreaches. It updates security standards on government networks, including mandating multifactor authentication and encryption. And it creates a playbook for cyber-incident response by federal agencies.
It also establishes a Cybersecurity Safety Review Board to analyze incidents. It's modeled on the National Transportation Safety Board, which reviews airplane crashes and incidents with other modes of transportation.
The order comes in the wake of the Colonial Pipeline hack and after other recent cyberattacks. (Colonial had just restarted its pipeline earlier Wednesday.)
A focus on Russia
While cyberthreats come from all over the world, the pipeline attack brought focus back to Russia, because Biden says the alleged criminal group has ties to the country.
Biden expects to meet with his Russian counterpart soon. He suggested this could be a topic of discussion.
"I'm going to be meeting with President [Vladimir] Putin, and so far there is no evidence based on, from our intelligence people, that Russia is involved, although there's evidence that the actors' ransomware is in Russia," Biden has said. "They have some responsibility to deal with this."
The two are expected to meet during Biden's trip overseas to meet with European leaders next month.
Matthew Rojansky, director of the Wilson Center's Kennan Institute, who is close to the administration, said both governments are vulnerable to cyberattacks.
He said it's in both of their interests to start a conversation on rules of engagement, which he added could be part of larger plans to discuss arms control and security.
"And you can start just by laying out red lines and talking about deterrence," he said. "You know, 'If you do X, we do Y, and you don't want Y, so don't do X,' but you can move from there eventually, build a little bit of working trust and possibly establish an actual framework that looks like arms control."
The administration has made clear, though, that the cyberthreat goes well beyond Russia.
"It's not specifically a bilateral problem; it's also a China problem," said Ari Schwartz, who served as cybersecurity director in the Obama White House. "It's a problem with Iran and North Korea, and it's also a problem with a criminal issue. It's all of those things, and the Biden administration said that very directly on several occasions."
The Biden administration says for too long the government and the country have failed to take the necessary steps to boost defenses.
"These are systems that we use to run government and conduct commerce — systems that are used to deliver our power and our water, to help manage traffic on our roads," the Biden official told reporters. "The cost of the continuing status quo is simply unacceptable."