US President Joe Biden is expected to issue an executive order soon in response to the SolarWinds and Exchange Server attacks. Leaked details suggest it might not focus on the most effective actions.
Although the administration reportedly won’t release a formal executive order (EO) addressing these and other cybersecurity matters for weeks, Alejandro Mayorkas, the new head of the Department of Homeland Security (DHS), did reveal that the administration is working on nearly a dozen actions for the order. Meanwhile, some details of the order have leaked, generating mostly skepticism among many top cybersecurity professionals.
According to one cybersecurity expert who saw an early, high-level version of the EO, “The first takeaway for me is I’m concerned that there’s not enough recognition of the cloud side of things. It’s clear that that’s going to be a growing vector for future attacks. It is in some ways the part of this risk landscape that we have the least good information about in any detail,” the source tells CSO on background.
“Security standards are great, secure development is good,” the source adds. “It’s important. We’ve been debating this for 20 years. I haven’t seen the EO in its full text, but I’m concerned that we don’t know enough of how much these new policies around secure development have learned the lessons from what’s been tried before.”
The source also expressed concern about how critical and non-critical software are defined. “There needs to be a lot of focus on what exactly constitutes critical software.”
The EO should focus on new ways of thinking instead of relying on the old and thus far unsuccessful security methods. “What I’m hoping, but I’m not necessarily optimistic about seeing a lot of in the EO, is ‘Hey, we need to think about this differently. It’s not just about telling people what to do,’” the source says.
According to a draft executive order seen by some reporters and selected experts, government contractors would be required to report attacks on their networks and software to federal government customers within a few days of discovery, much the same way the EU’s GDPR mandates data breach disclosures to regulatory authorities within 72 hours of discovery. According to reports, the relevant government customers would then pass on the reported data to DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
Some experts worry about the burdens imposed by mandatory breach reporting requirements, particularly if software and hardware providers are obligated to report incidents within days. “We have to be very careful because many times we have false positives,” Carlos Perez, practice lead, research, at TrustedSec, tells CSO. “We have such a short time [if, for example, the reporting requirement is within three days]. Sometimes it won’t be enough for some contractors that don’t have a security team. Or all of a sudden, somebody opened an email, and the attachment looked funny, and now they’re going like, ‘Oh, we have a three-day ticking time bomb for us to find out if this was truly malicious or not.'”
Many cybersecurity professionals do not have a lot of faith that the US federal government is qualified to handle hacks on the SolarWinds or Microsoft Exchange scale. According to one: “When SolarWinds happened, we got a call set up with CISA. They canceled our call because they were in the throes of being compromised themselves. Then the Department of Energy called CISA saying ‘we need help.’ CISA said, ‘We can’t help right now. We’re busy with our own problems.’ And now you guys are in charge of coming up with a solution?”
The cybersecurity expert said: “At this stage of the game, you’re asking the same people to dust off the same playbook over and over again. They should allow the entrant of some fresh blood; some harder questions being answered.”