This week, the Biden Administration took two steps to strengthen cybersecurity. These actions were prompted initially by the recent Solarwinds cyberattack, but accelerated by the May 7th Colonial Pipeline ransomware cyberattack that affected fuel deliveries in the United States.
On May 11th, the Administration extended a previously approved national emergency order to improve the nation’s cybersecurity with regards to securing information and communications technology. The order was set to expire on May 15, 2021 but will now stay in effect until May 15, 2022. This extends the ban on the use of Huawei and ZTE devices in the United States’ information and communications infrastructure. On May 12th, the Administration followed up by issuing its Executive Order on Improving the Nation’s Cybersecurity.
The following are some key points from the Executive Order:
The EO also dictates the need to establish a Cyber Safety Review Board, standardize the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents, improve detection of cybersecurity vulnerabilities and incidents on federal government networks, and improve the investigative and remediation capabilities.
One of the more notable areas of this EO is its recommendations around Software Bills of Material, or SBOMs. An SBOM shows a user the various components inside the software that they have purchased from a particular vendor. Because software developers often leverage open source and third-party software components to create their final product, it’s extremely important for users to understand what could be hiding in their software. SBOMs help users quickly determine whether they are at risk of compromise from an emerging vulnerability and also reduce risk from third-party components or prohibited suppliers.
This EO, the recent 100 day plan for electric system cybersecurity, and new bills related to cybersecurity and infrastructure making their way through Congress are an indication of the federal government’s readiness to step in and regulate cybersecurity for critical infrastructure companies, particularly in the energy sector.
“These actions suggest that stricter government regulations for critical infrastructure cybersecurity are right around the corner,” said Jim Crowley, CEO of Industrial Defender. “Electric utilities have had to comply with the NERC CIP regulations that enforce standardized security controls for many years, which means the regulatory infrastructure to do this is already there. It’s highly likely that a similar set of enforceable standards based on NERC CIP or the NIST Cybersecurity Framework will be introduced for the entire energy industry.”
Of course, an Executive Order is just a first step. While the document provides strategic direction, the success or failure of this initiative will depend upon how well the government can work with industry and academia to define solutions to these complex problems, and on how well the implementation process is executed.