Yesterday, President Joe Biden signed a broad executive order on cybersecurity to fill gaps exposed by several massive recent cyber incidents. The executive order is a good first step, but it won’t stop the constant barrage of cyber incidents that has overwhelmed the United States over the last six months. Unfortunately, the insecurity of networked computer systems is simply too great for any single effort to solve the problem. Instead, the solutions lie on a distant horizon. It is not too soon to start charting a course, and Congress can help.
The recent incidents, taken as a whole, collectively crossed a threshold from the familiar series of serious, but isolated, attacks to cascading crises that expose the United States to systemic danger. Most recently, the Colonial Pipeline “double extortion” ransomware attack demonstrated that one critical infrastructure company impacts the lives of tens of millions of Americans. In two other cases, Russian hackers compromised the update process for network administration software from Solar Winds to introduce back doors onto private and federal computer networks, and vulnerabilities in Microsoft’s email server software reportedly meant that until patches were available on March 2, more than 100,000 systems may have been accessible to attackers from as early as January of this year. And then there are the ransomware attacks on hospitals in the middle of a global pandemic, and a targeted attack on a water system in Florida, both of which threatened fatal consequences.
Officials charged with protecting U.S. critical infrastructure do not have visibility into the computer networks that control that infrastructure because it is largely owned and operated by the private sector. The new executive order will start a process that will modify Federal Acquisition Regulations (FAR) to require federal contractors to report cyber incidents promptly and to share more information with the federal government about both incidents and security practices on contractor networks. Administration officials hope this new stream of information will offer more clarity on the best ways to deter bad actors, whether that might include sanctions, indictments, or naming and shaming attackers. The information may also facilitate retribution by the authorized agencies against the attackers’ infrastructure.
But even the officials directly involved know these measures will not change the behavior of adversaries, end the tsunami of ransomware attacks, or get stolen information back. With this executive order, the administration has taken the action available to the executive, focusing on federal networks and contractors. Implementation will matter, specifically what information contractors will have to provide. And Congress will need to pass legislation to make these measures apply across the economy.
Thinking Further Ahead
During the next 60 days, the agencies charged with translating the executive order into regulatory action could ensure the federal government is thinking more than one step ahead. The requirements the new regulations will impose on contractors to share information about known and suspected incidents could become a first step toward collecting the necessary information for a different and longer-term purpose: developing standardized risk models and metrics. If contractors share the right details about cyber incidents, the federal government would have a dataset to support an analytic approach to understanding cyber risk through powerful statistical analysis of attacks and attackers. That dataset should be maintained separately from the agencies that would use it for operational or law enforcement purposes, and should be used instead to provide better tools and guidance to cybersecurity programs in private industry and throughout government on making their networks more resilient.
In 2020, the Cyberspace Solarium Commission, a bipartisan panel comprised of members of Congress, senators, executive branch officials, and private sector experts, recommended creating a new federal agency for this purpose: a Bureau of Cyber Statistics (BCS), housed at the Commerce Department, away from the operational and enforcement-oriented functions of the Cybersecurity and Infrastructure Security Agency (CISA), and staffed with cybersecurity and statistical analysts. The BCS would have no enforcement or operational responsibilities for federal agency or private-sector cybersecurity; rather it would aggregate detailed information about cyber incidents and then publicly release datasets and models describing the risk. Those datasets would be anonymous, maintaining the confidentiality of the reports provided by private-sector organizations, and providing the raw material to conduct robust risk assessments to help organizations improve cybersecurity programs.
The Commerce Department would be a better fit for a BCS than CISA’s parent agency, the Department of Homeland Security, because Commerce already has the Economics and Statistics Administration, which houses both the Bureau of Economic Analysis and the Census Bureau, and it has the National Institute of Standards and Technology. Commerce also houses the National Weather Service (a bureau of the National Oceanic and Atmospheric Administration), which supports all things weather-related in the private sector through the daily release of over 6.3 billion weather, water, and climate observations. At Commerce, the more research-oriented work of a BCS would be situated in a familiar environment.
The BCS, similar to other statistical agencies, should have the means to compel private companies to share such information, coupled with a stringent requirement to protect the identifiable information about companies and incidents from release. BCS could not take action against breached companies for cyber incidents; those authorities would remain with the Department of Justice and other law enforcement agencies.
Independence for the Cyber Safety Review Board
Another cyber-specific agency would also help. The executive order creates a cyber-focused panel, the Cyber Safety Review Board, modeled on the National Transportation Safety Board, but established as a federal advisory committee, led by and reporting to the Secretary of Homeland Security. The NTSB is called in when a transportation accident takes place and has broad powers to investigate, but it is separate from the regulators or the enforcers; a full-fledged Cyber Safety Review Board would fulfill a similar role with regard to cyber incidents, but creating it by executive order limits its authorities, responsibilities, and independence. Only a statutorily created board that is independent from agencies like DHS and has clear authority to discover evidence and take sworn testimony would have the kinds of authorities that give NTSB and its investigations teeth.
The NTSB is highly respected and has changed the entire way safety works in transportation, because it is separated from operational, regulatory, and enforcement elements of the rest of the federal bureaucracy. The Cyber Safety Review Board needs similarly delineated responsibilities. The root causes of incidents published by such a board would, in combination with the datasets released by the BCS, permit organizations to understand clearly how the threats they face and vulnerabilities they tolerate actually interact to give rise to incidents and — better understanding the risk — how to address it.
All of these changes would support national security policymakers seeking to get ahead of the cyber risks facing critical infrastructure. Right now, federal cybersecurity officials do not have the ability to compare risk across sectors or good visibility into how critical infrastructure companies overall are modeling risk and then making risk management decisions, because the risk models are too individualized to specific companies (when they exist at all). Put another way, even if Colonial Pipeline had shared its risk assessment with CISA, CISA would not have been able to understand what was different between Colonial and another pipeline company, because the agency wouldn’t have a way of comparing different companies or analyzing the sector as a whole.
Once a BCS and CSRB-driven risk approach is available, companies could use those data and models to assess risk on a common set of assumptions. Officials at CISA would then be in a better position to identify gaps in cybersecurity and use their authorities to fill them.
The new executive order is a first step in the right direction. If the information shared is sufficient to start data collection along the lines the Solarium Commission recommended for a BCS, Congress can take the next steps by creating both the BCS, with the mandate to collect cyber-incident information from a broader swath of the private sector, and the CSRB, with a set of expert leaders to independently investigate cyber incidents and report their conclusions. The route to solving this problem is long; it is past time to start traveling it.