Sen. Ed Markey, D-Mass, and Rep. Ted Lieu, D-Calif., were pleased to see flashes of legislation they’ve proposed—the Cyber Shield Act—in an executive order the Biden administration released to address widespread hacking campaigns that affected federal agencies and private-sector organizations.
“With as many as 75 billion IoT devices projected to be in our pockets and homes by 2025, cybersecurity continues to pose a direct threat to economic prosperity, personal privacy, and global security,” Markey said. “Thankfully, the president understands these concerns and has created a new program that will help ensure IoT no longer stands for the ‘Internet of Threats.’ By creating a cybersecurity certification system akin to what we proposed in our Cyber Shield Act, President Biden’s executive order will give consumers a seal of approval for more secure products, as well as encourage manufacturers to adopt the best cybersecurity practices so they can compete in the marketplace for safety.”
Within a long list of measures, the executive order instructs the National Institute for Standards and Technology to work with the Federal Trade Commission, and other agencies it deems appropriate, to—within 270 days—identify criteria around software development and connected devices, termed the “internet of things,” that would inform a consumer labeling program. It also directs NIST to recruit manufacturers and developers to participate in related pilot programs.
For months, agencies have been working to remediate hacking campaigns that used weaknesses in software systems from SolarWinds and Microsoft to get into federal networks. And last weekend’s ransomware attack on Colonial Pipeline drew attention to the vulnerability of operational technology, or OT, systems that control industrial control systems as physical devices such as valves and pressure gauges become more connected to information technology, or IT, systems.
The executive order tries to reduce the odds of hackers successfully attacking critical systems chiefly by controlling the quality of software the government purchases. It calls for the Federal Acquisition Council to process recommendations from various agency leaders in publishing new rules concerning software procurement, in addition to those on contractor incident reporting.
That didn’t quite cut it for some observers, particularly given the Government Accountability Office’s assessment that 85% of the nation’s critical infrastructure is controlled by private companies.
“This Executive Order is a good first step but it is likely not going to materially change the threat landscape,” said Eric Cornelius, chief product officer at cloud security company iboss, which does business with the government. “While the order sets the stage, it is mostly focused on federal networks. But the fact is that nearly all of America’s critical infrastructure is privately owned and operated. If America’s national security interests are to truly be protected, we will need regulatory requirements across all sectors of critical infrastructure.”
But the order was largely well-received, and supporters argue the government is a big enough customer that it can make a significant difference.
“Standardizing contractual language may not seem like the most exciting or impactful action to take, but with an organization the size of the Federal Government, it’s exactly the kind of action that can cause broad, sweeping change,” Tim Erlin, vice president of product management and strategy at cybersecurity company Tripwire, said.
The voluntary labeling program is one way to broaden the use of cybersecurity standards and drive industry toward taking appropriate steps without straight up mandating such actions.
“President Biden’s executive order mirrors our Cyber Shield Act by creating a consumer-friendly cybersecurity certification for consumer goods, and by providing an incentive for manufacturers to prioritize the cybersecurity of their products,” Lieu said in a statement. “I look forward to working with President Biden and Sen. Markey on this initiative. Everyone—except for malicious hackers—wins when we prioritize cybersecurity.”
At a press briefing Thursday on the government’s response to the Colonial Pipeline attack, Biden addressed a question of private-sector accountability within the executive order.
“The bottom line is that I cannot dictate that the private companies do certain things relative to cybersecurity,” he said. “A lot of you are very seasoned reporters, you’ve been covering this debate up on Capitol Hill … There’s a debate internally, among senators as to whether or not the government should be assisting, and it gets into privacy issues and a whole range of things, so that’s going to be an ongoing negotiation. But I think it’s becoming clear to everyone that we have to do more than [is] being done now and the federal government can be a significant value added in having that happen.”
source: NextGov
