Following major cybersecurity attacks targeting government agencies and critical infrastructure, President Joe Biden released a far-reaching executive order in May to curb breaches.
“The federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the order said.
A key component of the “Executive Order on Improving the Nation’s Cybersecurity” is to better fortify software systems. It noted that the development of commercial software often lacks transparency and sufficient focus on the ability of the software to resist attacks.
“There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended,” the order said. “The security and integrity of critical software — software that performs functions critical to trust such as affording or requiring elevated system privileges or direct access to networking and computing resources — is a particular concern.”
The directive will establish baseline security standards for the development of software sold to the government, as well as requiring developers to ensure greater visibility into their platforms and making security data publicly available, according to the White House.
Additionally, it will launch a pilot program that will create an Energy Star type of label so government personnel can quickly determine whether software was developed securely, according to a fact sheet from the White House. Energy Star is a government-backed symbol for energy efficiency that is run by the Environmental Protection Agency.
James Andrew Lewis, director of the Center for Strategic and International Studies’ Strategic Technologies Program, said software security is the centerpiece of the executive order.
“The other parts are important, too,” he said. “But this is the one that could have the biggest effect.”
Anne Neuberger, deputy national security advisor for cyber and emerging technology at the National Security Council, said the Biden administration wants to create a demand signal for secure software.
The executive order has “some key pieces that were meant to jump-start the broader market for secure software, clearly using the power of federal government procurement to drive security in the software everybody uses,” she said in May during an event hosted by CSIS.
The executive order is aimed at putting “our money where our mouth is” and only purchasing software that meets certain standards, she said.
“What’s the best way to incentivize? Money,” Neuberger said. “At the end of the day, we may not be able to impact the whole sector, but the U.S. government buys so much IT.”
The order instructs the director of the National Institute of Standards and Technology to solicit input from the government, private sector, academia and other stakeholders to develop new standards, tools and best practices for secure software, which should include encryption for data, the employment of automated tools, monitoring and alerts to respond to cyber incidents.
Baking security into software at the start is key, Neuberger said.
“When you’re building a building in an earthquake-prone zone, you have building standards,” she said. “When you’re building software in a world where there are sophisticated nation-state attackers constantly hunting for vulnerabilities in that software, build it in more secure ways.”
Working with industry is critical as the government creates these standards, Neuberger said. The administration wants to establish “aggressive but achievable goals and to bring the private sector into that, because at the end of the day that’s the root of innovation” in the United States, she said.
The administration coordinated closely with industry as it developed the executive order, seeking input and ideas and better insight into how fast the private sector could implement changes, she said.
“One key piece we heard again and again was there’s such a missed opportunity to use federal procurement to drive a secure market,” Neuberger said. “That’s really what we tried to set here.”
The administration also took a deep dive into major hacks such as the SolarWinds attack to see what kind of measures could have prevented such an incident, she said.
“We baked that into the core components that are outlined in the EO that are required for the way software is built and maintained,” she said.
Jeffrey Greene, acting senior director for cybersecurity at the National Security Council, said the requirement to build security into software will have an effect on both the federal and commercial markets.
Industry is “unlikely to build two different versions of their product — one less secure for the public and one more secure for the government,” he said during the CSIS event. “That will, hopefully, create some good copycat effect.”
While there hasn’t been enough market demand over the past decade for secure products, that is changing now, Greene said.
“We’re in a different place,” he said. “In general, both industry and individuals are much more attuned to cyber as a risk to their wallet and their privacy.”
Kelly Bissell, global security lead at Accenture, said over the past 30 years there has been an incentive for companies to build “minimum viable products.” The thinking was, “get the product out the door and then let your users find all the defects,” she said.
However, the executive order changes incentives, she said.
“It doesn’t stop at the federal government,” Bissell said. “It will bleed very, very quickly into the private sector.”