Securing America’s Software Supply Chains From Attack: Biden’s Executive Order on Cybersecurity

May 13, 2021
Andrea Little Limbago

A major oil pipeline shuts down. Ransomware halts city operations and online systems. A new banking trojan spreads across Europe. This may seem like an extraordinary week in cybersecurity. But, unfortunately, these kinds of ‘Black Swan’ events are no longer Black Swans. Recent incidents—including SolarWinds, Exchange, Pulse Secure, and Codecov—further demonstrate that cybersecurity and the resilience of supply chains are inextricably linked.

As the global cyber threat landscape has exploded in actors (state-sponsored, criminal organizations, and privatized non-state organizations), tools, and techniques, there has been little federal movement in cyber policy focused on strengthening defenses to counter such a diverse array of threats and interdependencies within and across organizations. However, with the publication of the Executive Order on Improving the Nation’s Cybersecurity, there is a new focus on cyber defenses and potentially the start of a significant paradigm shift in cybersecurity. As the order notes, “Incremental improvements will not give us the security we need.”

Bolstering Both Digital and Physical Security

Coming on the heels of February’s Executive Order on America’s Supply Chains, which aims to build more resilient, secure, and diverse physical supply chains, this Executive Order similarly prioritizes supply chain security. In contrast, it focuses, rightly so, on the urgent need for enhanced digital supply chain security while also addressing information sharing, data breach notification, modernized security standards, and safety. Together, these core themes further highlight a shift toward defense and private/public sector collaboration before, during, and after a cyber incident.

  • Software supply chain security: New guidelines and criteria for evaluating software security will be established, focusing on the security practices of both developers and the suppliers. A Software Bill of Materials (SBOM)—a formal record of the various components and supply chain relationships used to build software—will be required for each product. This process to create these SBOM guidelines will begin immediately, with initial findings published within 60 days. A labeling scheme will also be explored to inform consumers of the security of their products.

  • Information sharing: The dissemination of timely information across federal agencies and the private sector regarding risks and threats will be facilitated through the reduction of contractual barriers that limit information sharing as well as standardization of the data.

  • Data breach notification: Contractors will be required to report breaches on a graduated severity scale. Similar to the European Union’s General Data Protection Regulation breach notification, companies partnering with the federal government will be required to disclose the most severe breaches to the federal government within 72 hours. While the U.S. lacks a federal data breach notification policy, there are bills underway to replace the patchwork of 54 data breach notification laws across all 50 states, the Virgin Islands, Puerto Rico, Guam, and Washington, DC.

  • Security standards: With an emphasis on modernizing cloud-based services, a Zero Trust security model formalizes many of the recommendations the security industry has been advocating for years, such as multi-factor authentication and encrypted data at rest and in transit. Organizations will have to demonstrate adherence to these requirements and also follow an incident response procedures playbook.

  • Safety: A new Cyber Safety Review Board comprised of both private-sector and federal representatives will be established, including cybersecurity and software suppliers, to review incidents and make recommendations. This may be modeled on the National Transportation Safety Board. The actual scope—including membership and the kinds of incidents to be evaluated—will be determined in the upcoming months.

The executive order stresses the need for strengthened defensive postures and processes at all phases of an incident, emphasizing a more proactive approach to defense that has largely been reactionary. This includes gaining greater visibility of suppliers and working toward building trustworthy and transparent systems through a modernized approach to cybersecurity. Importantly, this applies not only to your organization’s security but the security across your entire supply chain network. The introduction of security standards and information sharing demonstrate the emphasis on collective security to help target and reduce vulnerabilities across the entire supply chain. The days of a “perimeter defense” are gone and, as the executive order articulates, together the public and private sector must work together for the collective security of all.

Operational Resilience: Public- and Private-Sector Collaboration

While the executive order is already framed as a response to the Colonial Pipeline attack, in reality it has been months in the making. Following the breadth and depth of the state-sponsored SolarWinds intelligence-gathering attack that targeted at least nine federal agencies and hundreds of private sector organizations, administration officials began circulating various components of the executive order. It is just one component of a nascent strategy shift focused on strengthening security, creating more resilient supply chains, and building trusted networks within the U.S. and with like-minded partners. With this steady drumbeat of high-profile breaches and localized, financially motivated ransomware attacks as in the Colonial Pipeline hack, the executive order may be a harbinger of many regulatory changes to come as the federal government seeks to modernize cybersecurity and technology policy—strengthening defenses, securing supply chains, and ultimately bolstering operational resilience—for an era of technological competition and geopolitical friction.

As Bob Brese, former CIO at the U.S. Department of Energy and a current board advisor to Interos, observes: “Broadly enhanced cybersecurity improvements are critically needed. However, as articulated in the Executive Order on America’s Supply Chains, cybersecurity is one of many lines of effort necessary to ensure operational resilience for companies and government organizations as well as to enhance our nation’s economic and national security resilience. We can’t let this need to improve cybersecurity lead us to drop the ball on the other supply chain risk factors impacting operational resilience.”

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money