Over the past three years, the White House has quietly been working to raise the nation’s information-security shields. And it has done so largely without the help of Congress.
Instead of seeking new legislation, the Biden administration built its own scaffolding for this effort, starting with an 8,000-plus word executive order (EO) on cybersecurity issued in May of 2021 that assigned goals, tasks, and deadlines to a long list of agencies. The short version of that long EO is a line that I’ve seen White House officials repeat with remarkable consistency ever since: We must shift the burden of security from users and customers to the companies making the software and services they use.
That thesis draws applause from infosec experts.
“I think that’s an excellent idea,” says Steven Bellovin, a computer-science professor at Columbia University who has also served multiple stints on government advisory boards. “End users, including corporations running outside software, are often completely unable to even know about some flaws, let alone be able to repair them.”
In leaving legislation out of the critical path—in contrast to the administration’s work on clean energy—the Biden administration has been able to move rapidly in upgrading security standards for government contracts, establishing voluntary industry initiatives, and setting up a cybersafety review board.
But it’s also left itself unable to build foundations that could better resist a later administration’s attempts to roll back this work.
See also, the administration’s July 2021 executive order on promoting competition–which has yielded such regulations as the Federal Communications Commission’s broadband-labels rule and the Federal Trade Commission’s ban on non-compete clauses but has also met legal challenges and pledges from Republicans to undo those initiatives.
Transformation without legislation
The administration says it had no other option but to pick up policy tools already on the shelf–the last major attempt to write federal cybersecurity standards into law failed in 2012 .
Anne Neuberger, deputy national security advisor, points to one of the administration’s first cybersecurity actions–responding to the Colonial Pipeline ransomware attack with industry-specific security requirements grafted on older safety rules.
“The reason we were using existing safety regulations is that they gave the authority to act,” she says. “In an ideal world, there would be legislative support for minimum security requirements for infrastructure.”
The Biden administration also leaned on the government’s authority to set conditions on federal contracts to add security stipulations to procurement requirements. For example, IT vendors must itemize their products’ code in a “software bill of materials” so agencies know what code they’re buying and need to maintain vulnerability-disclosure policies that empower researchers to report flaws.
John Funge, managing director of the DataTribe startup foundry, credits those rules for bringing attention to how a software bill of materials can prevent an organization from being surprised by a supply-chain attack targeting lower-level parts of an application.
“There’s an increasing level of oversight in how software is being built,” he says. His cybersecurity-focused venture fund is now looking for more startups specializing in that area.
We’re still in the early stages of leveling up federal IT contracts; Neuberger says it took two and a half years to turn the EO’s principles into formal contract requirements.
“It’s good to push those well-known practices into procurement requirements,” says Katie Moussouris, CEO of the bug-bounty firm Luta Security. “But without measuring outcomes, it’s just another laundry list.”
Safety minded
Another key provision of the executive order used a transportation template, directing the Department of Homeland Security to set up a Cyber Safety Review Board (CSRB) modeled after the National Transportation Safety Board (NTSB).
The CSRB can investigate significant incidents to document what went wrong so that everybody else knows not to repeat the choices that led to those incidents.
At its best, the CSRB has undertaken detailed research into the causes of such security crises as the Log4j vulnerability or last summer’s Chinese hacks into Microsoft-hosted government mail accounts—which the board blamed on “a cascade of avoidable errors” at Microsoft.
But the board has also shown itself short on time and authority.
“I’m not thrilled—there are too many cases they’ve never investigated,” says Columbia University’s Bellovin, citing its failure to investigate the SolarWinds supply-chain attack. “We need more investigations and published reports.”
Moussouris, who just wrapped up a term on the board, says its work has helped to enlighten more IT decision-makers. Her recap of one common bit of feedback from infosec types: “Thanks for giving us a report we can show to management.”
But like Bellovin, she thinks the board will remain limited without a Congressional grant of authority. For example, while the NTSB can subpoena and sanction companies, the CSRB can’t.
“It doesn’t have any direct regulatory outcomes, and it can’t as long as it has private industry members,” Moussouris says.
Projects in progress
Biden’s EO also handed out a lengthy to-do list to the Cybersecurity and Infrastructure Security Agency, a DHS branch spun up by a 2018 law. Since 2021, CISA has been active in setting federal lT-security requirements and in preaching security to private industry in highly-specific terms.
For example, last summer’s Black Hat security conference in Las Vegas featured two CISA advisers, Bob Lord and Jack Cable, offering such detailed action items for IT companies as writing software in memory-safe languages that resist outside attacks and not charging extra for detailed audit logs.
CISA has been campaigning for tech firms to adopt those and other “Secure By Design” principles to try to wall off the more predictable threats before code gets deployed. Neuberger’s definition of success in this and other security efforts: “Do adversaries have to work harder?”
Bellovin credits Secure By Design for providing a clear to-do list of best practices in software development, testing and deployment: “These are the low-hanging fruit—almost everyone should have done those years ago.” But he sees too much wiggle room in parts of the pledge, such as a discussion of multi-factor authentication that companies might read as making that defense against password compromise optional.
Another result of the EO is an even earlier stage: the U.S. Cyber Trust Mark, a voluntary program handed to the Federal Communications Commission because of its authority to regulate wireless gadgets. The thing to watch will be how it evolves and whether a device can lose this certification.
“My problem with labels is that they should expire,” says Moussouris. “They’re going to age like milk.”
What’s next?
As the CrowdStrike calamity ought to remind everybody, information security abounds with surprises that require rapid rewrites of old playbooks.
Neuberger says the administration is treating the fallout from a botched CrowdStrike Windows driver update as a chance to assess how the government might have helped if an actual attack had left the same damage.
“This was not malicious,” she says. “If it was malicious, what kind of federal government support would be useful?”
Voters could serve up their own plot twist with their choice in November, after which a future president could enact a new executive order undoing the old policies.
Security experts don’t seem fazed by the Democratic Party’s hot-swap from President Biden to Vice President Harris as its presumptive nominee. Moussouris says a Harris administration “would carry the Biden administration cyber initiatives forward with vigor and even bigger goals.”
They are not so sure about what could happen if President Trump returns to the White House.
DataTribe’s Funge worries that a second Trump administration’s security efforts could be “less organized, less effective.”
Moussouris, for her part, puts faith in the non-political appointees at agencies, whom she’s seen stick to their work under multiple administrations. “It’s the nonpartisan appointees who are the real heroes,” she says.
But the Heritage Foundation’s Project 2025 policy blueprint for a Trump second term—which the candidate now disavows, notwithstanding how much of it came from his appointees and supporters—calls for turning many of those positions into at-will political appointments. That’s also something Trump had tried to do at the end of his first term.
Project 2025 also takes aim at CISA itself: Its chapter about the Department of Homeland Security, credited to former Trump DHS appointee Ken Cuccinelli, calls for stripping CISA of much of its responsibilities and “immediately ending” its already-embattled efforts against election-disinformation campaigns.
Radical moves like those, Bellovin fears, “would be disastrous.”
Autentifică-te pentru a adăuga comentarii
Alte posturi din acest grup
From streamlining administrative tasks to enhancing brainstorming sessions, AI is becoming an essential workplace companion. Yet, despite its transformative promise, its integration isn’t as
“What’s more motivating than a punch card?” That’s the simple idea behind a recent so-called “punch party” that crea
The devastating California wildfires have led to a number of benefit events, from concerts to comedy shows, with the intention to fundraise for wildfire recovery efforts.
The team
Amazon.com was sued on Wednesday by consumers who accused the retailing giant of secretly tracking their movements through their cellphones
Chinese tech company Alibaba on Wednesday released a new version of its Qwen 2.5 artificial intelligence model that it claimed surpassed t
The “influencer accent” is taking over TikTok. If you don’t know what I’m talking about, scroll through your FYP page and listen.
British singer-songwriter Cassyette pointed out th
Illinois lawyer Mathew Kerbis markets himself as the Subscription Attorney, charging businesses and individual clients a monthly rate for legal
