By Allison Grande
Law360 (May 14, 2021, 9:56 PM EDT) — The Biden administration has taken a major step toward curtailing a growing scourge of cyberattacks with a new executive order that not only imposes heightened cybersecurity requirements on the federal government and its contractors but also sets a strong example that’s likely to rub off on private companies.
In the wake of bruising cyberattacks on software provider SolarWinds Corp. and major fuel supplier Colonial Pipeline, which reportedly paid hackers nearly $5 million to recover data locked by ransomware, President Joe Biden signed an executive order Wednesday requiring government agencies and the companies that contract with them to bolster their cybersecurity and share more information about cyberthreats. The order also aims to create a national review board for major cyberattacks and a pilot program for a new labeling system that will provide both the government and consumers with information on the security level of software programs.
“The executive order definitely does ‘lead from the top,’ and hopefully by changing requirements related to cybersecurity for the federal government and federal contractors other organizations and businesses will follow suit,” said Sara Goldstein, a partner at BakerHostetler.
While the order isn’t expected to completely stop nation-states and other malicious actors from stealing data or locking down systems, the changes are likely to dramatically improve the ability of agencies and government contractors to prevent, detect, assess and remediate cyber incidents.
“From a big-picture perspective, it’s a good number of critical and urgent reforms,” said Michael Bahar, who co-leads the global cybersecurity and data privacy practice at Eversheds Sutherland and previously served as deputy legal adviser to the National Security Council at the White House. “Although it obviously won’t drive attacks to zero, it will certainly reduce the number and severity of attacks.”
The order also sends the message that cybersecurity is a top priority for the White House, which is likely to inspire private companies that are responsible for operating the vast majority of the nation’s critical infrastructure and are also regularly confronted with these issues to take cybersecurity just as seriously.
“The government can’t tackle these threats by itself, so it needs to talk the talk and walk the walk if it wants the private sector to do this as well,” Bahar said.
During a news conference Thursday, Biden said that while he lacked the power to “dictate that the private companies do certain things relative to cybersecurity,” it was becoming evident that “we have to do more than is being done now, and the federal government can be a significant value-add in having that happen.”
The executive order leans heavily on the government’s purchasing power and its standard-setting expertise, tools that the administration should be able to effectively use to “exert influence beyond those just doing business with the federal government,” noted John Dermody, data security and privacy counsel at O’Melveny & Myers LLP and a former attorney at the U.S. National Security Council, U.S. Department of Homeland Security and U.S. Department of Defense who was with the government from 2010 to 2019.
“This strategy is not new, and has proved to be particularly effective in the technology sector in recent years,” Dermody added. “We should expect that government officials will view cybersecurity standards in contracts not just as a means to secure government systems, but as a tool to more broadly influence industry.”
The new executive order seeks to bolster the cybersecurity landscape by creating a set of standards and tools to improve efforts by government agencies and federal contractors to identify and deter the “persistent and increasingly sophisticated malicious cyber campaigns” that have plagued the nation in recent years.
“When we’re talking about cybersecurity, we’re talking about reducing, not eliminating, risk,” said Brenda Sharton, litigation partner and global co-chair of Dechert LLP’s privacy and cybersecurity practice. “So while these aren’t magic bullets, anything that increases the focus on stronger cyber standards for critical infrastructure is a good thing.”
These enhancements include the creation of a pilot program for a new labeling system to provide the public with information about the security capabilities of certain devices and software sold to the government. The system will be modeled after the Energy Star label that signals a product’s efficiency level, the White House said.
The administration touted this system as a way to help improve vendor security, which hackers often target to infiltrate more secure government and corporate systems. This security gap has played an integral role in several major cyberattacks over the years, including the recent SolarWinds incident, in which hackers gained a foothold into companies and government agencies, such as the departments of Commerce and Treasury, by compromising SolarWinds monitoring products that these entities installed.
“We can focus on securing our own castles, but anything that flows in through the gates presents vulnerabilities that criminals can exploit,” Bahar said. “The idea of a software ingredients list is very important because in the rush to innovate, security is often an afterthought, and this moves the situation toward security by design in all stages of the supply chain.”
While the labeling requirement would extend only to internet-connected devices and software provided to the government, attorneys say they wouldn’t be surprised to see the consumer labeling criteria that the order directs the National Institute of Standards and Technology and the Federal Trade Commission to create within 270 days to be adopted more broadly.
“Even if you’re not selling to the government, in theory, you probably wouldn’t want to be put up against another product that has the label and risk people not buying your product because of that,” said Foley & Lardner LLP partner Aaron Tantleff. “So that may create a new threshold and raise the bar for everyone.”
The executive order also aims to modernize cybersecurity standards throughout the federal government by requiring agencies and their contractors to employ a zero-trust security model, which requires continuous verification of all internal and external users on the network to limit access to only what’s necessary, and to deploy “foundational security tools” such as multifactor authentication and encryption.
While many companies and agencies have already implemented at least some of these safeguards, the White House’s push to require them in the public sector is likely to further raise their profile across the board, attorneys say.
“By coming up with a set of standards that need to be accepted by contractors and the federal government, that’s likely to trickle down to the private sector and could help lift everyone’s cybersecurity and provide a great framework to make sure both the government and private sector are really doing what needs to be done,” said Aaron Charfoos, a partner in the privacy and cybersecurity practice at Paul Hastings LLP.
The federal government is no stranger to rolling out cybersecurity frameworks that have morphed into widely accepted and baseline standards across the business community.
One of the most prominent examples is the voluntary cybersecurity framework released by the National Institute of Standards in Technology in 2014. While the framework was intended to help banks, utilities and other critical infrastructure develop assessment tools to evaluate and strengthen their approach to managing cybersecurity risk, it has expanded well beyond this audience and is now viewed as a benchmark that’s been embraced by a broad range of companies.
Aside from the security standards, the private sector is also likely to borrow from the “standardized playbook” and set of definitions for cyber incident response by federal departments and agencies that the executive order mandates. The playbook would be designed to ensure that all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat, while also providing the private sector with “a template for its response efforts,” according to the White House.
“It’s crucial for companies to have a plan to both prevent and address data breaches and this executive order takes steps to help formalize that process,” said Sheila Armstrong, a partner at Morgan Lewis & Bockius LLP.
However, taking such a standardized approach to cybersecurity could also pose problems, noted Robert Braun, co-chair of the cybersecurity and privacy group at Jeffer Mangels Butler & Mitchell LLP.
“Our experience is that while cyber incidents all have things in common, to suggest that there is a single playbook that can encompass it doesn’t reflect the differences between different companies and different types of attacks,” Braun said, adding that the standardized approach is likely to create “a compliance culture,” where government agencies are focused on “checking off boxes” rather than on implementing appropriate security and response measures.
The executive order additionally aims to improve the sharing of cyberthreat information between the federal government and private sector, which has long been a goal of those responsible for crafting cybersecurity policy.
Congress passed legislation in December 2015 that offered liability protections for companies that elected to voluntarily share information on cyberthreats with the federal government.
But while the legislation resulted in “a flurry of information-sharing,” the quality of these exchanges was lacking, as many contained the same cyber indicators and information that was less than helpful, Bahar, the Eversheds Sutherland partner, said.
The executive order aims to bolster these efforts by removing contractual barriers that block IT providers from sharing information about vulnerabilities or data compromises with the federal government. The new directive also requires technology providers that do business with the government to report to authorities data breaches that could pose a danger to federal networks.
“Hopefully, if such information can be shared more easily with federal agencies, then cybersecurity risks can be identified and addressed more quickly, to the benefit of both the private and public sector,” said Goldstein, the BakerHostetler partner.
Requiring government contractors to notify federal officials about significant breaches will also help improve cybersecurity detection and mitigation efforts, although questions are likely to swirl about the threshold for triggering this reporting obligation, what information contractors will be required to share with the federal government, and what regulators and other officials will do with this data.
“From a contractual standpoint, for example, it will be critical to develop terms that are balanced in way that encourages companies to report significant types of cyber incidents … but aren’t so restrictive that companies do not have sufficient time to investigate and understand the incident and/or are required to report an overwhelming type of incident,” said Amy de La Lama, who heads the data privacy and cybersecurity practice at Bryan Cave Leighton Paisner LLP.
The private and public sectors will likely also benefit from the executive order’s creation of a Cybersecurity Safety Review Board, which will be made up of government and private sector members who will analyze how major breaches unfolded, similar to the way the National Transportation Safety Board issues reports after airplane crashes.
“A lot will depend on how the board is implemented, but in general, reassessing what happened after significant cyber events and sharing those lessons with the community and using them to inform and educate the public on what they can do to protect themselves is going to benefit everyone,” said Paul Hastings’ Charfoos.
With the Biden administration taking decisive action to offer a fairly detailed plan for improving cybersecurity across the federal government, attorneys say they’ll also be watching if Congress uses the progress to enact legislation to further incentivize cyber threat information-sharing, unify reporting obligations or require more defensive measures to be taken by the public and private sectors.
“The hope is that, given these recent activities that have demonstrated how critical cybersecurity is to national infrastructure and safety, some of these issues will be fast-tracked and received bipartisan support,” said Tantleff of Foley & Lardner.
In the meantime, attention will turn to “the hard work of implementing” the executive order, which administration officials have stressed is far from the last step in bolstering the nation’s cyber defenses, Dermody noted.
“While already very detailed, [the executive order] sets an ambitious cybersecurity agenda for the federal government,” he said. “Accomplishing all the tasks is going to require sustained attention and support from senior officials.”
–Editing by Orlando Lorenzo and Emily Kokoll.