In the wake of the Colonial Pipeline hack, President Biden released a long-anticipated Executive Order (EO) intended to strengthen U.S. cybersecurity infrastructure. [1] [2] The EO highlights the government’s interest in public-private partnerships in the realm of cybersecurity by triggering a rulemaking process that will impose cybersecurity standards on private companies that contract with the federal government in the areas of information technology (IT) and operational technology (OT). The EO is only one of many steps the new administration is taking to improve cybersecurity. In line with the government’s vision, the Department of Energy also released a 100-day cybersecurity pilot program,[3] and the Federal Energy Regulatory Commission took steps to establish incentive-based programs for cybersecurity investments.[4]
Dan Sutherland, Chief Counsel for the Cybersecurity & Infrastructure Security Agency (CISA), and Jen Daskal, Deputy General Counsel at the Department of Homeland Security (DHS), spoke at an Infragard webinar on May 19, 2021 about the new Executive Order (EO).[5]
Before delving into the EO, the speakers gave a brief introduction to the roles of DHS and CISA. DHS takes a “whole of government” approach to cybersecurity, and deals with cybersecurity issues through the United States Secret Service and Immigration and Customs Enforcement (ICE), which focuses on prosecuting cyber-enabled crime. It also works through the Transportation Security Administration (TSA) and Coast Guard, which focus on cybersecurity in surface transportation. CISA, on the other hand, is an independent federal agency under DHS oversight. It focuses specifically on the United States’ cybersecurity and communications infrastructure. Acting more as a risk advisor and research arm, rather than enforcer, CISA aims to keep the nation’s critical infrastructure secure, robust, and capable of defending itself against cyber-attacks.
Both speakers briefly discussed three pieces of legislation that give CISA more authority to perform their work:
- The National Defense Authorization Act (NDAA), which is a product of the Cyberspace Solarium Commission, provides 11 substantive new authorities for CISA, including: the ability to issue administrative subpoenas, the authority to do more to protect federal networks, and the wherewithal to provide capabilities and tools to other federal agencies without reimbursement. However, CISA’s subpoena authority is very limited. It mainly involves the power to collect public-facing IP information from internet service providers (ISPs) when the information is not otherwise available. Under this authority, ISPs must provide identifying information attached to IP addresses. CISA, of course, claims to have no interest in overstepping privacy rights or civil liberties.
- The DotGov Online Trust in Government Act (DotGov Act) was established through the Consolidated Appropriations Act. The DotGov Act gives CISA the authority to issue “.gov” addresses that provide more security. These are provided to federal agencies at no cost.
- The last legislation the speakers highlighted was the American Rescue Plan Act of 2021, which gave CISA $650 Million to improve federal network security. CISA will operate a pilot cloud environment featuring heightened security systems. This could signal a significant new path for CISA to provide services to agencies rather than merely issuing policies and directives.
Executive Order on Improving the Nation’s Cybersecurity
The Executive Order has been a priority for the Secretary of the DHS, Alejandro Mayorkas. When he outlined his vision for DHS’s cybersecurity efforts on March 31, 2021, Secretary Mayorkas said, “[m]ake no mistake: a free and secure cyberspace is possible. We will champion this with words and action.”[6]
The speakers highlighted the importance of the role the EO plays in the federal government’s commitment to modernize cybersecurity defenses and protect the federal government’s infrastructure. While executive orders cannot direct the private sector or create new authorities that do not already exist, they can leverage the power of the White House to signal priorities and support the use of existing authorities to implement key priorities. All the EO provisions outlined by the speakers build on the maturation of the cybersecurity mission and are intended to address recent cybersecurity incidents.
The EO has several innovative aspects. It leverages the procurement power of the federal government to impose reporting requirements and standards for service providers with which the federal government contracts. This has the potential to have a ripple effect for the private sector; to set standards of care and best practices beyond the provision of services to the federal government.
The EO also focuses on improving information sharing about potential incidents in the inter-agency process and through procurement power. It eliminates roadblocks for private entities to share information with government and assists the government in preventing incidents from occurring in the first place. The federal government observed that IT and OT service providers who contract with the government are hesitant and sometimes unable to share information with CISA and the FBI. They often claim that their contracts prevent the sharing of information to any agency outside of their contracting partners. The EO requires CISA to develop standard contractual clauses to be implemented through the federal acquisition regulation process. IT and OT service providers will thereby be required to collect, preserve, and share data and to collaborate during investigations. The EO goes beyond information sharing and provides standard formats to assist with investigation and remediation. Section 2(g)(I) of the EO outlines the types of reporting that should be included in the contracts.
Additionally, the EO creates a new Cybersecurity Safety Review Board, which will analyze broader, nationally significant cyber incidents affecting federal civilian information systems or non-federal systems, and make concrete recommendations for improving cybersecurity. CISA is actively working to develop this Board.
The EO provides authorities to conduct threat-hunting authorities, ensuring that there is government-wide buy-in on CISA’s ability to use these authorities effectively. It also includes desired improvements in cloud security and in the development of software used in the supply chain.
Recent cyber security incidents have revealed a lack of visibility into the cloud environment. To address this, the EO requires CISA to develop a set of security principles that govern the cloud environment for federal agencies. The EO also requires the Secretary of Commerce, in coordination with National Institute of Standards and Technology (NIST), to publish minimum elements of the bill of materials and a definition of “critical software.” The Secretary of Commerce is also responsible for recommending minimum standards for testing of third-party software source code by the third-party licensors.
In addition, CISA can help federal agencies by providing a federal incident-response playbook and improving methods for detecting vulnerabilities. Because currently CISA sees internet traffic only at the perimeter but not at the object (computer) level, the EO requires organizations to give CISA access to monitor object-level data and provide endpoint detection capabilities, allowing CISA a greater ability to look for malicious code and vulnerabilities.
When asked whether the EO sufficiently protects critical infrastructure, Dan Sutherland stated that CISA was taking substantial new steps to address recent issues. Regarding possible metrics of success, he said that these metrics may include measurements of efforts and results and, since the EO has many short, aggressive deadlines, people should expect to see results such as patching happening quickly.
The final point the speakers addressed was on inter-agency sharing of information. Under the Federal Information System Moderation Act (FSMA), every agency is responsible for its own security, while CISA provides only guidance and policies. After the data breach at the federal Office of Personnel Management,[7] there was more cooperation and collaboration in the federal civilian executive branch. The EO is further prompting federal agencies to work collaboratively. In that regard, the EO calls for procedures for the Secretary of DHS and the Department of Defense to share all directives applying to their respective information networks. To take this a step further, the speakers recommended the cultivation of greater information sharing between the federal system and the private industry.
Our next article will focus on steps the private sector should be taking in light of new standards under the EO.
Read the second article in this two-part series, published in September 2021: https://businesslawtoday.org/2021/09/private-sector-actions-in-light-of-the-cybersecurity-executive-order/
[1] Maame Nyakoa Boateng, a third-year student at Penn State Dickinson Law, contributed to this article.
[2] Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
[3] Department of Energy, “Biden Administration Takes Bold Action to Protect Electricity Operations from Increasing Cyber Threats,” April 20, 2021, https://www.energy.gov/articles/biden-administration-takes-bold-action-protect-electricity-operations-increasing-cyber-0 (last checked July 16, 2021).
[4] Cybersecurity Incentives, Federal Energy Regulatory Commission, Department of Energy, Notice of Proposed Rulemaking, https://www.federalregister.gov/documents/2021/02/05/2021-01986/cybersecurity-incentives (last checked July 16, 2021).
[5] For those who missed the webinar, it can be viewed at https://www.americanbar.org/groups/cybersecurity/.
[6] Secretary Mayorkas Outlines His Vision for Cybersecurity Resilience, March 31, 2021, https://www.dhs.gov/news/2021/03/31/secretary-mayorkas-outlines-his-vision-cybersecurity-resilience (last checked July 16, 2021).
[7] See https://www.opm.gov/cybersecurity/cybersecurity-incidents/.