This article is the second in a two-part series exploring the implications of President Biden’s executive order on cybersecurity. In the first installment, available here, William R. Denny discusses the role the executive order plays in the federal government’s commitment to modernize cybersecurity defenses.
Recent cyber-attacks, such as the SolarWinds and Kaseya supply chain attacks, which affected thousands of entities, and the ransomware attack on Colonial Pipeline, are stark reminders of the tremendous and growing cyber threat both to the public and private sectors. The level of sophistication of these attacks make it ever more difficult for enforcement agencies to detect and prevent these incidents. On May 12, 2021, just days after the attack on Colonial Pipeline, President Biden released a comprehensive executive order (EO) intended to improve U.S. cybersecurity infrastructure and protect the federal government’s networks. While this is an ambitious step by the administration, there is still a need for public-private partnerships to reduce the risk of future attacks. The President noted in the EO that “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace.”
In our previous article, we discussed the elements of the new EO, highlighting remarks made by Dan Sutherland, Chief Counsel for the Cybersecurity & Infrastructure Security Agency (CISA), and Jen Daskal, Deputy General Counsel at the Department of Homeland Security (DHS). The speakers emphasized that ransomware was a massive national security problem requiring both a “whole of government” and a “whole of private sector” approach. Ransomware often strikes the weakest links in information systems. While the government is investing in strengthening resiliency, the private sector must also play a role in helping to protect against cyberattacks. This article focuses on the implications of the EO for the private sector.
While EOs do not have the effect of law, they serve as a roadmap for federal agencies to regulate themselves. The President can require that certain terms be included in federal contracts and can use EOs to bolster this agenda. For private sector businesses interested in competing for federal contracts, the President’s “procurement power” creates a powerful catalyst for change. And because the federal government is such a significant purchaser of private IT services, new federal standards will have a powerful ripple effect on cybersecurity in the private sector.
The EO’s commitment to public/private partnerships is evident through the demands it places on private sector contracting partners. The EO mandates the removal of barriers that prevent private businesses (who contract with the government) from sharing cybersecurity and breach information, and mandates contract provisions that require the reporting of such information.
For private sector businesses, the EO indicates the increased likelihood of new cyber-related legislation and heightened regulation of existing cybersecurity laws and policies. While the EO broadly applies to the federal government, it provides several best practices that the private sector should consider emulating to enhance its own cybersecurity readiness.
1. Modernize Private Sector Cybersecurity
The EO directs agencies to prioritize the adoption and use of cloud technologies to store data. Businesses should likewise invest in cloud technologies for data storage, as this could help ensure that businesses are consistently up to date with the latest security tools. Businesses should, in the same vein, consider intermittently conducting a thorough procedure of identifying the types of data they store and assessing the sensitive nature of the data. During this process, businesses should identify data that is no longer needed and dispose of it. In the event of a cyberattack, businesses should be better able to tell which data may have been compromised.
The EO also directs the creation of policies for logging data, including retention and management of the logs, to ensure centralized access to critical data for analysis in case of a cyberattack. The EO provides a valuable outline of the types of security controls that should be considered. These include endpoint protection, access controls, network security, email security, logging, monitoring and threat hunting. The private sector can take a cue from the government and adopt some of these security controls. Businesses should also get in the habit of training their employees on cybersecurity and the importance of protecting their data.
2. Enhance Software Supply Chain Security
The Fact Sheet following the EO states that the EO will:
improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches secure software development and uses the power of Federal procurement to incentivize the market.
The Biden Administration plans to utilize the purchasing power of the government to implement updated security measures from software vendors who contract with the government. Businesses can follow suit and require security standards from third-party vendors with whom they transact business. Businesses should consider conducting due diligence on third parties to ensure that they have the appropriate IT security measures in place to mitigate the risk of a cyber incident. Businesses should inquire about the measures their third-party vendors have in place such as multifactor authentication and encryption. Doing so enables businesses to identify possible risks and find remedies before their data is potentially compromised. Businesses should also get into the habit of including contract provisions that obligate their third-party vendors to notify them of any unauthorized disclosures of their confidential information. With this information, businesses could act quickly in the event of an attack and attempt to minimize harm from a breach.
3. Develop an Incident Response Plan
The EO instructs federal agencies to develop, within 120 days, a “playbook” to be utilized in the planning and conducting of cybersecurity vulnerability and incident response activities. Private sector organizations should also develop their own incident response plans. An incident response plan outlines a course of action in the event of a significant incident. It assigns roles and creates an incident recovery team, comprised of key professionals within the organization as well as outside experts. It also prepares employees for any possible attacks. Having an incident response plan would enable businesses to respond more quickly and effectively to a cyberattack. After a cyber incident, businesses should reflect on lessons learned, revisit their best practices and modify any elements of their incident response plan that need to be updated.
4. Establish a Cyber Safety Review Board
The EO directs the establishment of a Cyber Safety Review Board co-chaired by government and private sector leads that may convene following a significant cyber incident to analyze the attack and provide concrete recommendations for improving cybersecurity. Similarly, the private sector should cooperate to establish a similar review board to conduct security threat assessments, identify potential vulnerabilities and make recommendations.
5. Engage In-House Counsel or External Counsel
Because of the increasing sophistication of cyber risks, businesses should engage with general counsel to set governing principles that balance protecting data with ensuring that the businesses are complying with privacy and regulatory principles. General counsel could also be instrumental in assisting their businesses to understand the cyber landscape and assisting management in making decisions about cybersecurity measures. Business attorneys can assist organizations in drafting contracts that include the above-mentioned reporting requirements. Businesses should take a holistic approach in addressing cybersecurity breaches in a way that addresses employee and client privacy and governance.
The federal government will continue to make cybersecurity a priority to protect the United States, its infrastructure, and its citizens. For the private sector, the new EO provides a comprehensive guideline for strengthening their cybersecurity. By modernizing cybersecurity measures, enhancing software supply chain security, developing an incident response plan, establishing a cyber safety review board and engaging in-house counsel, businesses will be better prepared to mitigate cybersecurity risks and respond effectively in the event of cyberattacks.
CISA recently launched a new webpage focused on ransomware, https://www.cisa.gov/stopransomware, that includes guidelines that would be extremely beneficial to businesses. CISA itself is also strategically designed not just to work on cyber defense and resiliency, but also to improve public-private partnerships. When there is an incident, quick action is needed, and CISA wants businesses and governmental agencies to know that it has resources to assist.
 Maame Nyakoa Boateng, a third-year student at Penn State Dickinson Law, contributed to both articles.