The Biden administration’s long-gestating executive order on federal network protection and cybersecurity reinforcement has arrived amid a turbulent, protracted period of hacking fiascos. The nearly-concurrent breaches of SolarWinds, Pulse Connect Secure, and Microsoft Exchange Server had somewhat soured the speculated political action intended to impede such events. The hack of the Colonial Pipeline, with its tangible effects on actual citizens, has shifted the public dynamic back toward seeking legislative answers.
This executive order (EO) might seem inexorably tied to a specific “Pipeline timeline,” but the pre-planned mandate may have only lost a week or two in the drafting phase by releasing at this crucial time. Luckily, Colonial can deal with its issues on a truncated schedule. By isolating the targeted systems and halting operations during the assessment phase, Colonial kept the ransomware away from its most pivotal pipelines. Otherwise, the entire Southeast could be hung out to dry for months on end in terms of fuel needs.
President Biden’s directive is intended as a cybersecurity catch-all for federal network improvement, but offers little for the private sector beyond suggestions. For threat information sharing, reporting on potential or actual compromises is meant to be more free-flowing via the bypassing of contractual obligation barriers. Though it’s within the realm of possibility that this mandate will function properly with both sides cooperating and even lead to threat mitigation, the EO is missing a firm stance on private sector critical infrastructure.
NTT Security’s Vice President of Security Strategy, Bruce Snell, said, “Critical infrastructure is particularly susceptible to ransomware as they often have older equipment that may have vulnerabilities that go unnoticed and unpatched for years. All of the security best practices apply: security training and education, an aggressive patching and updating policy, network segmentation with a zero-trust architecture and so on.”
Transparency on existing threats is a good start; it’s difficult to say whether an EO injunction for private sector critical infrastructure policies and standards is overstepping, but it would surely do more to prevent success for hacking campaigns. Another provision of the EO details stricter cybersecurity guidelines for software vendors in business with the government. These protocols could ostensibly trickle down to private and independent deals, but this may be a case of wishful thinking that could take decades to justify itself.