The Biden administration is putting the final touches on an executive order aimed at helping the U.S. defend itself against sophisticated cyberattacks like the one Russian hackers recently leveled against Texas software-maker SolarWinds.
The order, which is still being drafted, lays out a series of new requirements for companies that do business with the government. The initiative includes plans for more systematic investigations of cyber events and standards for software development. The idea is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector.
"So essentially, federal government procurement allows us to say, 'If you're doing business with the federal government, here's a set of things you need to comply with in order to do business with us,'" Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House, told NPR in an exclusive interview.
She says the executive order will "set the goal, give it a timeline and then establish the process to work out the details" on a handful of cybersecurity initiatives, from setting up new ways to investigate cyberattacks to developing standards for software.
The effort is all part of the administration's response to a recent cyberattack on a Texas software company called SolarWinds. Hackers linked to Russian intelligence compromised one of the company's routine software updates and used that access to break into about 100 top U.S. companies and about a dozen government agencies. The hackers roamed around the networks for nine months before they were finally discovered. It is still unclear whether this was merely an espionage operation or a precursor for something more sinister.
The hack itself was sophisticated and stealthy. The intruders used novel techniques and exploited gaps in the nation's current cybersecurity systems.
Among other things, the attack was launched from inside the U.S. on servers the Russians had rented from places such as Amazon and GoDaddy. By doing that, the hackers were able to slip past National Security Agency early warning systems because the NSA is not allowed to conduct surveillance inside the United States.
"We did a detailed study of SolarWinds and it showed that we have major work to do to modernize our cybersecurity ... to reduce the risk of this happening again," Neuberger said. "And the upcoming executive order is a big part of that."
"It's nobody's job ... to tell us what happened"
Among other things, the draft order includes something similar to the National Transportation Safety Board, or NTSB, for cyber. Just as the NTSB inspects the wreckage of a plane and recovers black boxes to see if the crash requires a systematic fix, a cyber NTSB would potentially paw through code and data logs to discover the root causes that permitted a successful cyberattack.
"What can we learn with regard to how we get advance warning of such incidents?" Neuberger said. "What allowed it to be successful? Potentially, what allowed it to be broad, if it was, which sectors were affected? Why?"
Alex Stamos is the former chief of security at Facebook. Now he runs the Internet Observatory at Stanford University and says that one of the problems with the country's overall cyber strategy is that there is no one in charge of looking at the big picture. An NTSB for cyber would provide some of that.
"You have the FBI, which is deeply involved in the incident response, but they are there to enforce the law. It's not their job to come up with conclusions for the entire society," he said. "You have DHS's CISA, the Cybersecurity Infrastructure Security Agency, their job is to work on defense. So they're probably the closest of the agencies to this, but they don't have any investigative powers. So we're in this weird position where it's really nobody's job ... to tell us what happened."
Neuberger says the executive order seeks to address that by creating more transparency. "If you or I are going out to buy network management software like SolarWinds and we want to buy the software that is most secure, we have no way of assessing which that is," she said. "And as a result, we have no way of saying, 'you know what? I'm willing to pay $5 more for the more secure software because I don't want to bring more risk into my network.' "
Neuberger said that the administration can remedy that by defining a set of requirements for the way software is built. Federal contractors will have to prove that they have secure practices like separating where they develop software from the internet, and things like requiring proof of multifactor authentication. The administration is trying to change the way we all think of code: It isn't just zeroes and ones — it is critical infrastructure.
"The key here is we can't just expect companies to be motivated to build secure software because it's the right thing to do," said Kiersten Todt, managing director of the Cyber Readiness Institute and a former Obama adviser on cyber issues. "Government has to be working with these companies to tell them what secure software looks like and give them the resources, and incentivize them to do so."
She says consumers have a role to play, too. "If we start incentivizing security, then companies [and] the market will then inherently prioritize it because more people will buy the product," she said. "So there is a very much of a multi-stakeholder collaboration that has to happen here."
And an executive order alone won't do that.
"I think it's a first step," Todt said. "It's definitely not the Holy Grail. It's not a destination. It's the departure point."
Another perennial issue is that when companies are hacked in the U.S., a lot of them keep it to themselves. The revelation of a cyberattack often affects confidence, share prices and reputation.
The executive order is seeking to change that. Neuberger said federal contractors will be required to be more open about attacks. "If you're doing business with the federal government, then when you have an incident, you must notify us quickly," she said. "Because we'd like to take that incident and ensure that the tactics, techniques and procedures, the information is broadly shared," she said. Then other companies, presumably, would follow their lead.
The chairman of the Senate Intelligence Committee, Sen. Mark Warner, told the U.S. Chamber of Commerce this week that he's working on a bill that will likely include some sort of "mandatory reporting" of cyber incidents and public-private cyberthreat intelligence sharing. He, too, said it was in response to the attack on SolarWinds.
But all this is easier said than done.
"The key is going to be in how each of these elements of the executive order are executed," Todt said. "And really how government is going to bring industry in to perform the functions to really look pre-event, middle of event, post-event and how we take those lessons learned and integrate them."
And while you may have never heard of SolarWinds or been affected by that attack, the connected world is increasingly vulnerable. And that is one of the messages the administration is trying to send.
"Cyberthreats loom large in a way that Americans feel," Neuberger said. "Can we trust our water, our power to be resilient? We see small companies being forced to pay a ransom to get their business back up and running. We see school systems' networks down due to criminals. So, those risks touch everyday Americans' lives."
The Biden administration has already leveled sanctions against Russia for the SolarWinds attack. And the White House has said there would be more "seen" and "unseen" responses to the breach. The unseen responses — for example, whether the Biden administration is preparing a reprisal attack against Moscow in cyberspace — was not something Neuberger was willing to talk about.
RACHEL MARTIN, HOST:
You might remember that just before President Biden took office, the U.S. discovered a massive Russian hack of a Texas software company called SolarWinds. Now the Biden administration plans to release an executive order to prevent future hacks. Dina Temple-Raston of NPR's investigations team spoke exclusively with the senior White House adviser in charge of the response.
DINA TEMPLE-RASTON, BYLINE: The U.S. hasn't had much of a strategy to battle cyber attacks. Anne Neuberger thinks it requires a change in the way we think about them.
ANNE NEUBERGER: We're working to shift our mindset from responding incident by incident to preventing them in the first place.
TEMPLE-RASTON: She's the deputy national security adviser for cyber and emerging technology at the White House, and she's working on an executive order slated for release in just a couple of weeks. Among other things, the order will create something like the National Transportation Safety Board. Think of a hack like a plane crash. Just as the NTSB inspects the wreckage to see if there needs to be a systematic fix, a cyber NTSB would paw through code and other evidence to do the same.
NEUBERGER: What can we learn with regard to how we get advanced warning of such incidents? What allowed it to be successful? Potentially, what allowed it to be broad, if it was? Which sectors were affected? Why?
TEMPLE-RASTON: And so do you think that the NTSB is a good metaphor for it?
NEUBERGER: We do.
TEMPLE-RASTON: Neuberger says we need a new strategy because we've become so connected. All of us are vulnerable to attack. But there still isn't a unified plan for how to respond. For example, when companies get hacked, a lot of them don't tell anyone. A way to fix that, Neuberger says, would be to require federal contractors to report any breach.
NEUBERGER: If you're doing business with the federal government, then when you have an incident, you must notify us quickly because we'd like to take that incident and ensure that the tactics, techniques and procedures, the information, is broadly shared.
TEMPLE-RASTON: Companies are supposed to report attacks to the Department of Homeland Security now, but because it isn't required, many don't. In next month's executive order, Neuberger said they'll set this as a goal, provide a timeline, and then establish a process to work out the details. Alex Stamos runs the Internet Observatory at Stanford University.
ALEX STAMOS: This is actually kind of a weakness in our overall cyber strategy as a country, is that nobody is really in charge of looking at the big picture.
TEMPLE-RASTON: He'd like the idea of a cyber NTSB and getting perspective on the threat.
STAMOS: You have the FBI, which is deeply involved in incident response, but they are there to enforce the law, right? It is not their job to come up with conclusions for the entire society. You have DHS CISA, the Cybersecurity Infrastructure Security Agency. Their job is to work on defense. So they're probably the closest of the agencies to this, but they don't have any investigative powers. And so we're in this weird position where it's really nobody's job in six months to tell us what happened.
TEMPLE-RASTON: What happened is that Russian hackers piggybacked on a SolarWind software update and then slipped right into Fortune 500 companies and government computer networks. Neuberger says that's a problem that needs to be addressed.
NEUBERGER: If you or I are going out to buy network management software, like SolarWinds, and we want to buy the software that is most secure, we have no way, Dina, of assessing which that is.
TEMPLE-RASTON: She suggests there's a way that the federal government can incentivize private companies to be safer. What if a government contract no longer went to the lowest bidder, but instead was awarded to a company that could document exactly how and where their software was built?
NEUBERGER: You know what? I'm willing to pay $5 more for the more secure software because I don't want to bring more risk into my network.
TEMPLE-RASTON: And they would need to say where their code was written and maintained. Kiersten Todt is the managing director of the Cyber Readiness Institute. She helped the Obama administration think through cyber issues, and she's been briefed on the new order.
KIERSTEN TODT: I think it's a first step. It's definitely not the Holy Grail. It's not a destination. It's the departure point.
TEMPLE-RASTON: But it's easier said than done.
TODT: The key is going to be in how each of these elements of the executive order are executed and really how government is going to bring industry in to perform the functions to really look pre-event, middle of event, post-event, and how we take those lessons learned and integrate them.
TEMPLE-RASTON: Todt thinks the government is going to have to work with companies to tell them what secure software looks like, and an executive order alone won't do that. And while you may never have heard of SolarWinds or been affected by that attack, we are all increasingly vulnerable.
NEUBERGER: You know, cyber threats loom large in a way that Americans feel.
TEMPLE-RASTON: Anne Neuberger again.
NEUBERGER: Can we trust our water, our power to be resilient? We see small companies being forced to pay a ransom to get their business back up and running. You know, we see school systems' networks down due to criminals. So those risks touch everyday Americans' lives, as well as at the national level.
TEMPLE-RASTON: The Biden administration has already leveled sanctions against Russia for the SolarWinds attack, and the White House has said there would be more seen and unseen responses to the breach. The unseen responses, like whether the Biden administration is preparing an attack in cyberspace, Neuberger declined to talk about directly. Dina Temple-Raston, NPR News. Transcript provided by NPR, Copyright NPR.