Biden Extends Huawei Ban and Issues New Guidance on Improving Cybersecurity

This week, the Biden Administration took two steps to strengthen cybersecurity. These actions were prompted initially by the recent Solarwinds cyberattack, but accelerated by the May 7th Colonial Pipeline ransomware cyberattack that affected fuel deliveries in the United States.

On May 11th, the Administration extended a previously approved national emergency order to improve the nation’s cybersecurity with regards to securing information and communications technology. The order was set to expire on May 15, 2021 but will now stay in effect until May 15, 2022. This extends the ban on the use of Huawei and ZTE devices in the United States’ information and communications infrastructure. On May 12th, the Administration followed up by issuing its Executive Order on Improving the Nation’s Cybersecurity.

Highlights from Executive Order on Improving the Nation’s Cybersecurity

The following are some key points from the Executive Order:

• “The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
• “It is the policy…that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
• “Removing barriers to sharing threat information” is important. “Sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts.”  
• “The Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”
  

The EO also dictates the need to establish a Cyber Safety Review Board, standardize the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents, improve detection of cybersecurity vulnerabilities and incidents on federal government networks, and improve the investigative and remediation capabilities.

Guidance on Software Bills of Material

One of the more notable areas of this EO is its recommendations around Software Bills of Material, or SBOMs. An SBOM shows a user the various components inside the software that they have purchased from a particular vendor. Because software developers often leverage open source and third-party software components to create their final product, it’s extremely important for users to understand what could be hiding in their software. SBOMs help users quickly determine whether they are at risk of compromise from an emerging vulnerability and also reduce risk from third-party components or prohibited suppliers.  

What’s Next for Critical Infrastructure Cybersecurity?

This EO, the recent 100 day plan for electric system cybersecurity, and new bills related to cybersecurity and infrastructure making their way through Congress are an indication of the federal government’s readiness to step in and regulate cybersecurity for critical infrastructure companies, particularly in the energy sector.

“These actions suggest that stricter government regulations for critical infrastructure cybersecurity are right around the corner,” said Jim Crowley, CEO of Industrial Defender. “Electric utilities have had to comply with the NERC CIP regulations that enforce standardized security controls for many years, which means the regulatory infrastructure to do this is already there. It’s highly likely that a similar set of enforceable standards based on NERC CIP or the NIST Cybersecurity Framework will be introduced for the entire energy industry.”

Of course, an Executive Order is just a first step. While the document provides strategic direction, the success or failure of this initiative will depend upon how well the government can work with industry and academia to define solutions to these complex problems, and on how well the implementation process is executed.