A pipeline that provides the East Coast with nearly half its gasoline and jet fuel remained closed on Sunday after yet another ransomware attack, prompting emergency White House meetings and new questions about whether an executive order strengthening cybersecurity for federal agencies and contractors goes far enough even as President Biden prepares to issue it.
The order, drafts of which have been circulating to government officials and corporate executives for weeks and summaries of which were obtained by The New York Times, is a new road map for the nation’s cyberdefense.
It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government, such as multifactor authentication, a version of what happens when consumers get a second code from a bank or credit-card company to allow them to log in. It would require federal agencies to take a “zero trust” approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities. And it would require that vulnerabilities in software be reported to the U.S. government.
Violators would risk having their products banned from sale to the federal government, which would, in essence, kill their viability in the commercial market.
The order, which is expected to be issued in the coming days or weeks, would also establish a small “cybersecurity incident review board.” The board would be loosely based on the National Transportation Safety Board, which investigates major accidents at air or sea.
The measures are intended to address the fact that the software company SolarWinds made for such an easy target for Russia’s premier intelligence agency, which used its software update to burrow into nine federal agencies as well as technology firms and even some utility companies. (Despite SolarWinds’ incredible access to federal networks, an intern had set the firm’s password to its software update mechanism to “SolarWinds123.”)
But federal officials concede that the regulations would still almost certainly have failed to thwart the most skilled nation-state intrusions and disruptions.
Theoretically, the order could be more effective against the kind of criminal ransomware attack that took over Colonial Pipeline’s headquarters networks last week. But it was unclear whether Mr. Biden’s executive order would apply to the privately held Colonial Pipeline.