In May 2021, Colonial Pipeline came under attack. The American oil pipeline from Houston, Texas, suffered a ransomware attack coming from Russian organized crime. The attackers rendered much of the network unfunctional, halted 40% of the fuel supply and demanded a payment of $5 million — which they got. The attackers then sent Colonial Pipeline an app to restore their network functionality, but it operated very slowly.
It was the largest cyberattack on an oil infrastructure target in the history of the United States, but it wasn’t exactly surprising. Ransomware attacks are on the rise, and it was only a matter of time before big infrastructure got hit. In early 2020, hackers also broke into Texas-based SolarWind’s systems and added malicious code into the company’s network, demanding ransom.
In an attempt to address this, on May 12, President Biden issued Executive Order 14028. Focusing on improving the nation’s cybersecurity strategy, the order called fighting cyberattacks is “a top priority and essential to national and economic security.”
In general, the order seeks to coordinate government efforts and reduce the compartmentalization of the attack response teams within the government. The order also seeks to establish the widespread use of the National Institute of Science and Technology (NIST) security frameworks. It largely takes aim at government policies and process, but there are also aspects that take aim at the civilian space, especially when it comes to Internet of Things products (such as smart home systems, wearable health devices, and many more).
The order also requires the federal government to establish a “zero-trust” framework — which includes a software system policy that no one can use unless specifically authorized to do so. The order also mandates the adoption of multi-factor authentification and data encryption for government systems within 180 days; this applies to all agencies.
Reactions to the order have been mixed, but largely positive. The order is expected to have large implications for US cybersecurity, much like GDPR did for data privacy in the EU.
“Prompted by the SolarWinds hack and other security events, the US is equating cybersecurity with national security and making bold changes to software requirements,” writes JFrog DevOps, one of the largest companies in the field.
The order also proposes an aggressive timeline for these changes: between 45 and 120 days for agencies. However, many of these changes have already been largely established in the private market as best practices, and in general, the required changes seem manageable. However, when it comes to a creature as gigantic as the government, change is never easy.
Ultimately though, the order is a step in the right direction. It sets a higher bar for cybersecurity in general. The way things are going, cyberattacks are only getting more and more common, and the stakes have never been higher.
Whether or not this will be enough, though, is a different question. Traditionally, technology has adapted and shifted faster than policy — we can only hope that healthy policy will now try to keep up.