Anne Neuberger, assistant national security advisor on cyber and emerging technologies, says an upcoming regulation will strengthen cybersecurity in the US, from establishing new ways to investigate cyberattacks to developing standards for software. Saul Loeb / AFP via Getty Images Hide caption
Saul Loeb / AFP via Getty Images
Saul Loeb / AFP via Getty Images
The Biden administration is putting the finishing touches on an executive order to help the US defend itself against sophisticated cyberattacks like the Russian hackers who recently cracked down on Texan software maker SolarWinds.
As now written, the mandate includes a number of new requirements for companies doing business with the government. The initiative includes plans for more systematic investigations into cyber events and standards for software development. The idea is to use the federal contract process to force changes that will eventually spill over to the rest of the private sector.
“In essence, federal government procurement allows us to say that when you do business with the federal government, there are a number of things you need to consider in order to do business with us,” said Anne Neuberger, assistant national cyber security advisor and emerging technology in the White House, NPR said in an exclusive interview.
She says the executive order will “set the goal, set a schedule, and then set the process for working the details” for a handful of cybersecurity initiatives, from establishing new ways to investigate cyberattacks to developing standards for software.
The effort is part of the administration’s response to a recent cyber attack on a Texas software company called SolarWinds. Hackers associated with Russian intelligence agencies compromised one of the company’s routine software updates and used that access to break into about a hundred top US companies and about a dozen government agencies. The hackers roamed the networks for nine months before they were finally discovered. It’s still unclear whether this was just a spy operation or a precursor to something more sinister.
The hack itself was nifty and clandestine. The intruders used novel techniques and exploited loopholes in the country’s current cybersecurity systems.
The attack was launched, among other things, from within the US on servers that the Russians had rented from places like Amazon and GoDaddy. In this way, the hackers were able to slip past early warning systems of the National Security Agency, since the NSA is not allowed to carry out surveillance within the USA.
“We conducted a detailed study on SolarWinds and determined that we still have a lot of work to do to modernize our cybersecurity … to reduce the risk of recurrence,” said Neuberger. “And the upcoming executive order is a big part of that.”
“It’s nobody’s job to tell us what happened.”
The contract creates, among other things, the National Transportation Safety Board (NTSB) for cyber. Just as the NTSB inspects the wreckage of an aircraft and restores black boxes to determine if the crash requires systematic correction, a cyber NTSB would potentially search code and data logs to determine the root causes that made a successful cyberattack possible.
“What can we learn about how we are warned of such incidents,” said Neuberger. “What made it successful? Potentially, what allowed it to be broad, if so, which sectors were affected? Why?”
Alex Stamos is the former security chief at Facebook. Now he heads the Internet Observatory at Stanford University and says one of the problems with the country’s overall cyber strategy is that no one is responsible for looking at the bigger picture. An NTSB for cyber would provide some of that.
“You have the FBI, which is deeply involved in responding to the incident, but you are there to enforce the law. It is not your job to draw conclusions for society as a whole,” he said. “They have the DHS’s CISA, the Cybersecurity Infrastructure Security Agency. Your job is to work on the defense. So they’re probably the closest agencies, but they have no investigative powers. So we’re in this weird position where it is really nobody’s job … telling us what happened. “
According to Neuberger, the executive is trying to counteract this through more transparency. “If you or I want to buy network management software like SolarWinds, and we want to buy the software that is the most secure, we cannot judge which it is,” she said. “As a result, we can’t say, ‘You know what? I’m willing to pay five dollars more for the more secure software because I don’t want to bring more risk into my network.’ “”
Neuberger said administration can remedy this by defining a set of requirements for the way software is created. Federal entrepreneurs must demonstrate that they have safe practices in place, such as: B. the separation of software developments from the Internet and proof of multi-factor authentication. Administration is trying to change the way we all think about code: it’s not just zeros and ones, it’s critical infrastructure.
“The key here is that we can’t just expect companies to be motivated to develop secure software because that’s the right thing to do,” said Kiersten Todt, executive director of the Cyber Readiness Institute and former Obama advisor on cyber issues . “The government needs to work with these companies to tell them what secure software looks like, give them the resources, and encourage them to do so.”
She says consumers also have a role to play. “If we create incentives for security, then companies, [and] The market will then naturally prioritize it because more people will buy the product, “she said.” So here a cooperation with several stakeholders has to take place. “
And an executive order alone is not enough.
“I think it’s a first step,” said Todt. “It’s definitely not the Holy Grail. It’s not a goal. It’s the starting point.”
Another persistent problem is that many companies that are hacked in the US are keeping it to themselves. Detecting a cyberattack often affects trust, stock prices, and reputation.
The executive is trying to change that. Neuberger said federal entrepreneurs need to be more open to attack. “If you are doing business with the federal government, you need to notify us quickly if there is an incident,” she said. “Because we want to take up this incident and make sure the tactics, techniques and procedures are widespread,” she said. Then other companies would probably follow suit.
Senate Intelligence Committee chairman Senator Mark Warner told the US Chamber of Commerce this week that he was working on a bill that will likely include some sort of “mandatory reporting” of cyber incidents and the sharing of public-private cyber threat intelligence will. He also said this was a response to the attack on SolarWinds.
Senator Mark Warner, a Virginia Democrat and chairman of the Senate Intelligence Committee, speaks during a hearing in Washington, DC on Wednesday, April 14, 2021. Graeme Jennings / Bloomberg via Getty Images hide the caption
Graeme Jennings / Bloomberg via Getty Images
Graeme Jennings / Bloomberg via Getty Images
But all of this is easier said than done.
“The key will be how each of these elements of the executive order is executed,” said Todt. “Really, how the government will get the industry to do the functions to really look before, during, after the event, and how we will learn and incorporate those lessons.”
And while you may never have heard of or been affected by SolarWinds, the connected world is increasingly fragile. And that’s one of the messages the administration is trying to send.
“Cyber threats are as big as the Americans feel,” said Neuberger. “Can we trust our water, our strength to be resilient? We see small businesses being forced to pay a ransom to get their business going again. We see that the school systems’ networks are down because of criminals So these risks affect everyday Americans’ lives. “
The Biden government has already imposed sanctions on Russia for the SolarWinds attack. And the White House has said there would be more “seen” and “invisible” responses to the violation. Neuberger did not want to talk about the invisible reactions – for example whether the Biden government was preparing a repression attack against Moscow in cyberspace.