Biden’s executive order lays out a plan of action that applies to federal contractors, but it might also predict cybersecurity changes to the private sector.
As a response to recent supply chain cyberattacks, in May, U.S. President Biden issued an executive order on cybersecurity. The order emphasizes the urgency of a robust cybersecurity plan for the nation as cyber threats continue to hover over the public and private sectors—and ultimately, the safety of individuals.
Internet governance is mostly privatized, allowing it to take on a life of its own. Until recently, this has gone largely unchecked—the digital world has woven itself into every facet of our lives—but lately, it’s prompting interventions. Take, for example, data scientist Frances Haugen, the whistleblower who exposed Facebook’s key role in public discourse and our very psyches.
To navigate our world, we’re all but required to opt in to the digital infrastructure, contributing to a larger network that catalogs, predicts, and dictates our behaviors. Now, the federal government aims to work with the private sector to both understand the threat environment in the digital sphere and protect privileged data and operations.
What’s stated in the executive order on cybersecurity?
The Biden administration will use its resources to protect both IT and OT of the federal government by improving the security of federal contractors. Under the new policy, contractors are required to report and respond to cyber incidents in collaboration with the Department of Homeland Security, the FBI, and the CISA.
The order also addresses the need to modernize the federal government’s approach to cybersecurity, including moving toward zero-trust architecture, securing cloud services, and streamlining access to cybersecurity data by investing in the right personnel and the best technology. The order recognizes the need to improve software supply chain security by evaluating and auditing software, employing multifactor authentication and encryption, and automating tools that monitor for vulnerabilities. The order identified critical software to endpoint security, including password managers.
Recent government hacks & breaches
Earlier this year, we learned that even government agencies have poor password habits when the U.S. IT firm SolarWinds was hacked. Threat actors gained access to the firm’s software and deployed malware to spy on its clients, which includes Fortune 500 companies, healthcare facilities, and branches of the U.S. government. They moved around the networks for months before getting caught. Their way in? This easy-to-guess password: solarwinds123.
The SolarWinds hack is not an anomaly for the U.S. or globally. In the first half of 2021, the Center for Strategic & International Studies (CSIS) uncovered 87 state-sponsored attacks all over the world, the goal being either extortion or espionage. Some of the attacks began as early as 2017, such as Russia’s “Ghostwriter” campaign, in which social media accounts for news sites and government officials were hacked to create distrust in the U.S. and NATO forces. Yet it wasn’t until 2021 that Russia was formally blamed by the EU for the attack.
This is not the first time cybersecurity as it relates to government contractors has been addressed. In 2013, President Barack Obama also published an executive order calling for NIST to develop a cybersecurity framework. But more than 8 years later, hackers have become more sophisticated, and the entire digital landscape continues to evolve.
What individuals & companies can learn
The executive order may primarily deal with federal contractors, but that’s not to say it doesn’t have implications for private corporations and for us as individuals.
In a very direct sense, it could affect our lives, as it did in 2017 when North Korea hacking unit Lazarus unleashed a ransomware attack on NHS. In an extortion effort, Lazarus was able to divert ambulances and access patient data, threatening to erase records if NHS declined to pay the ransom.
When it comes to privacy on an individual level, we don’t just entrust our information to government agencies but also corporations. Large companies who retain PII of many individuals are also a target for hackers, like we observed with the cyber attack on T-Mobile in August, which affected 50 million customers. This is another indication that the executive order will likely be enforced in the private sector.
Critical software for protecting your company—and yourself
The NIST named password managers as one type of software critical to endpoint security, along with full disk encryption and software that “searches for, removes, or quarantines malicious software.” The preliminary list names many other types of software that fall under seven categories including credentials, operating systems, and web browsers.
While these are guidelines for federal government contractors and subcontractors, they can also be applied to businesses and individuals. If companies truly want to protect the assets of their customers—and by extension their reputations—the executive order can provide the framework for establishing the ultimate cybersecurity plan.
For individuals, the best way to protect ourselves against threat actors is to invest in your personal security. Utilize the software that’s available to protect your digital life and take a proactive approach: adopt a password manager; install privacy-focused browsers and browser extensions.