The Biden administration is putting the final touches on an executive order aimed at helping the U.S. defend itself against sophisticated cyberattacks like the one Russian hackers recently leveled against Texas software-maker SolarWinds.
The order, as now written, lays out a series of new requirements for companies that do business with the government. The initiative includes plans for more systematic investigations of cyber events and standards for software development. The idea is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector.
"So essentially, federal government procurement allows us to say, 'If you're doing business with the federal government, here's a set of things you need to comply with in order to do business with us,'" Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House, told NPR in an exclusive interview.
She says the executive order will "set the goal, give it a timeline and then establish the process to work out the details" on a handful of cybersecurity initiatives, from setting up new ways to investigate cyberattacks to developing standards for software.
The effort is all part of the administration's response to a recent cyberattack on a Texas software company called SolarWinds. Hackers linked to Russian intelligence compromised one of the company's routine software updates and used that access to break into about 100 top U.S. companies and about a dozen government agencies. The hackers roamed around the networks for nine months before they were finally discovered. It is still unclear whether this was merely an espionage operation or a precursor for something more sinister.
The hack itself was sophisticated and stealthy. The intruders used novel techniques and exploited gaps in the nation's current cybersecurity systems.
Among other things, the attack was launched from inside the U.S. on servers the Russians had rented from places such as Amazon and GoDaddy. By doing that, the hackers were able to slip past National Security Agency early warning systems because the NSA is not allowed to conduct surveillance inside the United States.
"We did a detailed study of SolarWinds and it showed that we have major work to do to modernize our cybersecurity ... to reduce the risk of this happening again," Neuberger said. "And the upcoming executive order is a big part of that."
"It's nobody's job ... to tell us what happened"
Among other things, the order will create something similar to the National Transportation Safety Board, or NTSB, for cyber. Just as the NTSB inspects the wreckage of a plane and recovers black boxes to see if the crash requires a systematic fix, a cyber NTSB would potentially paw through code and data logs to discover the root causes that permitted a successful cyberattack.
"What can we learn with regard to how we get advance warning of such incidents?" Neuberger said. "What allowed it to be successful? Potentially, what allowed it to be broad, if it was, which sectors were affected? Why?"
Alex Stamos is the former chief of security at Facebook. Now he runs the Internet Observatory at Stanford University and says that one of the problems with the country's overall cyber strategy is that there is no one in charge of looking at the big picture. An NTSB for cyber would provide some of that.
"You have the FBI, which is deeply involved in the incident response, but they are there to enforce the law. It's not their job to come up with conclusions for the entire society," he said. "You have DHS's CISA, the Cybersecurity Infrastructure Security Agency, their job is to work on defense. So they're probably the closest of the agencies to this, but they don't have any investigative powers. So we're in this weird position where it's really nobody's job ... to tell us what happened."
Neuberger says the executive order seeks to address that by creating more transparency. "If you or I are going out to buy network management software like SolarWinds and we want to buy the software that is most secure, we have no way of assessing which that is," she said. "And as a result, we have no way of saying, 'you know what? I'm willing to pay $5 more for the more secure software because I don't want to bring more risk into my network.' "
Neuberger said that the administration can remedy that by defining a set of requirements for the way software is built. Federal contractors will have to prove that they have secure practices like separating where they develop software from the internet, and things like requiring proof of multifactor authentication. The administration is trying to change the way we all think of code: It isn't just zeroes and ones — it is critical infrastructure.
"The key here is we can't just expect companies to be motivated to build secure software because it's the right thing to do," said Kiersten Todt, managing director of the Cyber Readiness Institute and a former Obama adviser on cyber issues. "Government has to be working with these companies to tell them what secure software looks like and give them the resources, and incentivize them to do so."
She says consumers have a role to play, too. "If we start incentivizing security, then companies [and] the market will then inherently prioritize it because more people will buy the product," she said. "So there is a very much of a multi-stakeholder collaboration that has to happen here."
And an executive order alone won't do that.
"I think it's a first step," Todt said. "It's definitely not the Holy Grail. It's not a destination. It's the departure point."
Notification required
Another perennial issue is that when companies are hacked in the U.S., a lot of them keep it to themselves. The revelation of a cyberattack often affects confidence, share prices and reputation.
The executive order is seeking to change that. Neuberger said federal contractors will be required to be more open about attacks. "If you're doing business with the federal government, then when you have an incident, you must notify us quickly," she said. "Because we'd like to take that incident and ensure that the tactics, techniques and procedures, the information is broadly shared," she said. Then other companies, presumably, would follow their lead.
The chairman of the Senate Intelligence Committee, Sen. Mark Warner, told the U.S. Chamber of Commerce this week that he's working on a bill that will likely include some sort of "mandatory reporting" of cyber incidents and public-private cyberthreat intelligence sharing. He, too, said it was in response to the attack on SolarWinds.
But all this is easier said than done.
"The key is going to be in how each of these elements of the executive order are executed," Todt said. "And really how government is going to bring industry in to perform the functions to really look pre-event, middle of event, post-event and how we take those lessons learned and integrate them."
And while you may have never heard of SolarWinds or been affected by that attack, the connected world is increasingly vulnerable. And that is one of the messages the administration is trying to send.
"Cyberthreats loom large in a way that Americans feel," Neuberger said. "Can we trust our water, our power to be resilient? We see small companies being forced to pay a ransom to get their business back up and running. We see school systems' networks down due to criminals. So, those risks touch everyday Americans' lives."
The Biden administration has already leveled sanctions against Russia for the SolarWinds attack. And the White House has said there would be more "seen" and "unseen" responses to the breach. The unseen responses — for example, whether the Biden administration is preparing a reprisal attack against Moscow in cyberspace — was not something Neuberger was willing to talk about.
Copyright 2021 NPR. To see more, visit https://www.npr.org.