Washington — President Biden signed an executive order Wednesday aimed at hardening the federal government's cybersecurity defenses, as his administration tackles a slew of overlapping cyber hacks, including a ransomware attack on a major fuel artery that has caused gas shortages in at least seven states across the Southeast.
The executive order — months in the making — falls short of addressing critical infrastructure, including oil and gas pipelines, but directs the Commerce Department to author new standards for software vendors supplying the federal government. The cybersecurity rating system, likened to New York City's restaurant health grades, would mandate multi-factor user verification to new technology and added encryption.
Within four months, the Biden White House has been confronted by a sweeping Russian cyberespionage operation compromising nine federal agencies and roughly 100 private companies, in addition to a Chinese-linked, widespread Microsoft Exchange hack hitting tens of thousands of businesses nationwide. This weekend, Colonial Pipeline revealed a ransomware attack forced the company to shut down all 5,500 miles of its pipeline, responsible for delivering 45% of the East Coast's fuel supply.
The White House's new executive order nudges the federal government toward migrating to more secure cloud systems and establishes a "Cybersecurity Safety Review Board" with members from both the public and private sector.
"This executive order protects federal networks. Following the SolarWinds incident response, we were confronted by the hard truth that some of the most basic cyber security prevention and response measures were not systemically rolled out across federal agencies," said a senior White House official, who spoke on condition of anonymity under White House ground rules. "So we identified a small set of high impact cyber defenses that when implemented, make it harder for an adversary to compromise and operate on a hacked network."
Chris Wysopal, Chief Technology Officer and co-founder of cybersecurity company Veracode, called the executive order "surprisingly expansive" and welcomed the addition of an oversight board styled after the National Transportation Safety Board, that will help the private and public sector learn from cybersecurity incidents while maintaining the privacy of cyber victims.
"It's aggressive. It's serious. And I think it's long overdue," Wysopal added.
Leaders on Capitol Hill, who have been scrambling to propose legislation that will put dollars behind the federal government's promise to harden critical infrastructure, welcomed the order as a good start.
"Cybersecurity is a national security issue, and we commend the Administration for prioritizing it that way," Representatives Bennie Thompson, chairman of the Committee on Homeland Security, and Yvette Clarke, chairwoman of the Subcommittee on Cybersecurity said in a joint statement. "If nothing else, the cyber incidents that have occurred over the past six months have demonstrated that bold action is required to defend our networks today and in the future. The Executive Order signed by the President today is just that."
"This executive order is a good first step, but executive orders can only go so far," Senator Mark Warner, chairman of the Senate Select Committee on Intelligence, said in a statement. "Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps."
"This is one of the most detailed and deadline-driven EOs I've seen from any administration. In the wake of a seismic attack, like SolarWinds, this is incredibly encouraging to see," Amit Yoran, founding director of US-CERT in the Department of Homeland Security told CBS News in a statement. "Within the next year, all software vendors for the federal government must have an established software development lifecycle. This speaks directly to the gaping supply chain security issues that SolarWinds brought to attention — one broken chain link can bring down the entire fence. While these practices won't prevent all supply chain breaches, it's an important step forward."
"We simply cannot let waiting for the next incident to happen to be the status quo under which we operate," a senior White House official added.
The presidential order closely followed an announcement from Colonial Pipeline, acknowledging it restarted operations at 5 p.m. ET, Wednesday. Energy Secretary Jennifer Granholm first broke the news via Twitter after a phone call with Colonial's CEO, Tim Felt.
Olivia Gazis contributed to this report.