Skip to content

Illustration by Security Management

Biden Signs Cybersecurity Executive Order, Creating Road Map for Federal Improvements

U.S. President Joe Biden signed a long-awaited cybersecurity executive order on Wednesday evening, which instructs the federal government to take a host of actions to improve the nation’s security and resiliency.

Cybersecurity was already at the forefront of the national conversation in the United States due to the ransomware attack that caused Colonial Pipeline to turn off its pipeline network as a precautionary measure. The company announced Wednesday evening—just prior to the executive order signing—that it had turned the pipeline back on and that service was on its way to returning to normal.

Bloomberg later broke the story that Colonial paid nearly $5 million in ransom to the hackers responsible for the attack. Colonial, however, ultimately used its own backups to restore its system.

“The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard,” according to sources who spoke with Bloomberg. 

The incident was just the latest to highlight the vulnerabilities in U.S. critical infrastructure and the increasing need for the federal government to address cybersecurity at a national level. The executive order lays the initial groundwork for the federal government to begin doing that, including elevating cybersecurity to an issue that demands a national response.

“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” according to the executive order. “The federal government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premise, or hybrid. The scope of protection and security must include systems that process data (information technology) and those that run the vital machinery that ensures our safety (operational technology).”

Under the executive order, agency heads are instructed to create plans to remove existing barriers to sharing of threat information between the government and the private sector, as well as modernize and implement stronger cybersecurity standards for the federal government. The order mandates the use of multifactor authentication and encryption of data.

“The federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption,” according to a White House fact sheet.

The executive order also creates a plan for creating baseline security standards for development for software that is purchased by the federal government. For instance, the order creates a pilot program to establish an “energy star” type label so the government and others can determine whether software was developed securely.

“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” the fact sheet said. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the federal government to drive the market to build security into all software from the ground up.”

Additionally, the executive order creates cybersecurity event log requirements for federal departments and agencies, creates a standardized playbook for cyber incident response, and sets up a Cybersecurity Safety Review Board—members yet to be named—that will be co-chaired by government and private sector leads. The board will be modeled after the National Transportation Safety Board and is an idea that has been touted by experts in the past to help the government and private sector assess cyber incidents and share lessons learned.

“This executive order is about taking the steps necessary to prevent cyber intrusions from happening in the first place; and second, ensuring we’re all positioned to react rapidly to address incidents when they do occur,” a senior administration official said in a background call with reporters. “The executive order makes a significant contribution to modernizing our cybersecurity, particularly federal cybersecurity and software security—the software we all use. But I should stress that it alone is not enough. This will be the first of many ambitious steps the public and private sector must and will take together to safeguard our economy, security, and the services on which the American way of life relies.”

Chair of the U.S. Senate Intelligence Committee Mark Warner (D-VA) said that the United States has demonstrated in 2021 with the Colonial, SolarWinds, and HAFNIUM attacks that it is not prepared to ward off state-sponsored or criminal hackers seeking to compromise its systems.

“This executive order is a good first step, but executive orders can only go so far,” Warner said in a statement. “Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.”

The reaction to the executive order from the private sector has also been positive, including praise from the U.S. Chamber of Commerce which pledged to work with the Biden administration to improve cybersecurity. 

“Recent cyberattacks, impacting both public and private entities, underscore the need for coordinated action by the Biden administration and the private sector,” said Christopher D. Roberti, U.S. Chamber of Commerce senior vice president for cyber, intelligence, and supply chain security policy, in a statement. “We need to enhance security, driver international collaboration, and hold malicious cyber actors accountable when they violate domestic and international laws.”