Biden Executive Order Takes Aims at Software Supply Chain, Federal Cybersecurity
Supply chain attacks made quite a few headlines in the first half of 2021. It all started when the NOBELIUM threat actor compromised the distribution systems for SolarWinds’ Orion IT network management platform to push out malware. Researchers discovered many more malware strains associated with the attack in the weeks and months that followed. As they did, the list of victims expanded to include tech firms, government entities, and security companies.
Then came news of HAFNIUM at the beginning of March. Microsoft found that this threat actor was misusing four vulnerabilities in Microsoft’s Exchange Server software to exfiltrate sensitive information from affected organizations. Other threat actors eventually caught on and leveraged the weaknesses to distribute new ransomware strains, malicious cryptominers, and other threats.
Hardening the Federal Software Supply Chain
It didn’t take long for the Biden Administration to respond to the attacks discussed above. In mid-May, they released an “Executive Order on Improving the Nation’s Cybersecurity.” The directive arrived with language for the purpose of securing the U.S. federal government’s software supply chain.
“The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions,” the Executive Order (E.O.) notes. “The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of ‘critical software’ — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern.”
Acknowledging this necessity, the White House ordered the Secretary of Commerce, the Director of NIST, and others to collaborate around developing an official definition for “critical software.” Those individuals will make a list of software and software products that adhere to the definition as well as guidance outlining security measures for those software products. It will then be up to federal agencies to comply with the best practices of encryption, network segmentation, least privilege, and other principles encapsulated in those guidelines.
Federal agency heads won’t be the only ones to help to develop those security recommendations. Indeed, the E.O. ordered the Secretary of Commerce and the Director of NIST to solicit input from the private sector, academia, and other actors on crafting new criteria for evaluating the security practices used by developers and suppliers. The Director of NIST will then publish preliminary guidelines on standards, procedures, and criteria as they relate to encrypting sensitive data and auditing trust relationships, among other supply chain security best practices. Six months later, the Director of NIST will be responsible for publishing additional guidelines around conducting periodic reviews of the preliminary guidelines.
Improving the Nation’s Cybersecurity
Biden’s E.O. isn’t focus only on hardening the software supply chain. Rather, it leverages supply chain security as part of a broader effort to modernize the U.S. federal government’s cybersecurity. Towards that end, the Executive Order requires that federal agencies adopt zero-trust architecture and uphold this new security model by implementing security best practices such as encryption and MFA.
Federal organizations don’t need to make those shifts on their own; they can adopt new technologies that help them to complete their shift to those security controls. Agencies bound by the E.O. might specifically consider investing in a solution that can protect their email communications with encryption. Such a solution should be capable of scanning emails and attachments automatically so that it doesn’t affect employee workflows—all while keeping any and all information contained in employees’ inboxes safe and secure.