The Biden administration said it’s drafting an executive order to help the United States government better defend itself against digital supply chain attacks.
A Step Up for Federal Procurement
According to NPR, the executive order that’s being drafted will include several initiatives designed to strengthen the security of the United States’ digital supply chain.
Among those will be a new set of digital security requirements for companies that are looking to do business with the federal government.
“So essentially, federal government procurement allows us to say, ‘'If you're doing business with the federal government, here's a set of things you need to comply with in order to do business with us,’” Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, told NPR in an exclusive interview.
That set of things could include a greater level of transparency in how developers create their products as well as proof that developers are using security best practices such as multi-factor authentication (MFA) and vulnerability management to harden their software.
Kiersten Todt, managing director of the Cyber Readiness Institute and a former Obama adviser on cyber issues, explained how important it is for the U.S. government to be clear about its security expectations regarding the private sector. As quoted by NPR:
The key here is we can't just expect companies to be motivated to build secure software because it's the right thing to do. Government has to be working with these companies to tell them what secure software looks like and give them the resources, and incentivize them to do so.
Otherwise, the U.S. government could have another SolarWinds-type event on its hands.
A Look Back at the SolarWinds Supply Chain Attack
In mid-December 2020, Tripwire VERT warned that an advanced persistent threat (APT) actor had inserted a backdoor into officially signed versions of SolarWinds’ Orion IT network management software.
Successful compromise by that malware enabled digital attackers to potentially gain complete access to an infected network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted at that time that the SolarWinds backdoor posed “unacceptable risk to Federal Civilian Executive Branch agencies.” It thus mandated federal agencies to disconnect their affected devices and wait for further guidance before reconnecting those assets.
Over the next few months, however, news emerged about the supply chain attack having affected several federal departments and agencies including NASA, the Department of Homeland Security (DHS), the Department of Justice and the National Nuclear Security Administration.
The total number of organizations affected by the SolarWinds supply chain attack, including those in the federal government, was still unknown as of this writing.
In April 2021, the Biden Administration announced a new round of sanctions on Russia in response to allegations that Moscow was ultimately responsible for the attack.
Those sanctions targeted 32 entities including Russian government and intelligence officers as well as companies that provided support to Russia’s digital attack operations, wrote Bloomberg.
As part of its decision to sanction Russia, the Biden Administration also expelled 10 Russian diplomats from Washington and barred U.S. financial institutions from participating in the primary market for new debt in Russia beginning on June 14.
Changes to Incident Response and Intel Sharing
Acknowledging the experience of SolarWinds, the Biden Administration is using its executive order to create something like a digital National Transportation Safety Board. The idea is for the U.S. government to use that entity or process to inspect the code and data logs of a successful digital attack to figure out what happened and to prevent it from happening again.
"What can we learn with regard to how we get advance warning of such incidents?" Neuberger told NPR. "What allowed it to be successful? Potentially, what allowed it to be broad, if it was, which sectors were affected? Why?"
The draft order will also include additional provisions that compel federal contractors to be open about successful digital attacks. With those new guidelines in place, the U.S. government can share relevant tactics, techniques and procedures (TTPs) among federal agencies and departments as well as with the private sector.
It’s currently unclear when an official draft of the executive order will be available to the public.