Via Teleconference
5:36 P.M. EDT
SENIOR ADMINISTRATION OFFICIAL: Hi, everyone. Good afternoon, and thanks for joining us on short notice. Today’s call will be on background, attributed to a “senior administration official,” and contents will be embargoed until 6:30 p.m. tonight.
With that, I’m happy to turn it over to our speaker.
SENIOR ADMINISTRATION OFFICIAL: Thank you so much. Good evening, everyone. So I’ll talk a bit about cybersecurity and the executive order. So, cybersecurity incidents like SolarWinds, Microsoft Exchange, and now the Colonial Pipeline incident are a sobering reminder that both U.S. public- and private-sector entities are very vulnerable to constant, sophisticated, and malicious attack — from nation-state adversaries to run-of-the-mill criminals.
These incidents are also a reminder that our adversaries will use multiple methods to attack, whether hunting for coding errors or compromising our supply chains to create an opportunity.
These incidents share a few things in common. First, a laissez-faire attitude towards cybersecurity. For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort, and money. And instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let “waiting for the next incident to happen” to be the status quo under which we operate.
A second commonality among these incidents is poor software security, and the current market development of “build, sell, and maybe patch later” means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure.
These are systems that we use to run government and conduct commerce, systems that are used to deliver our power and our water, to help manage traffic on our roads. The cost of the continuing status quo is simply unacceptable.
Today, the cost of insecure technology is borne at the end by the victims in incident response — in incident response and cleanup. And small businesses, schools, hospitals, and local governments bear the brunt of these costs.
So, much as growing traffic accidents do have a focus on safety with built-in airbags and seatbelts, the growing number and impact of incidents show us software security has to be a basic design consideration. We’d never buy a family minivan knowing it could have potentially fatal defects, with the expectation of recalls, or decide whether you want to install and pay for seatbelts or airbags afterwards.
Today, more than ever, cybersecurity is a national security imperative and an economic imperative. And I know I don’t need to say that, given what we’ve all just experienced in the last number of months.
So today’s executive order makes a down payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely. It reflects a fundamental shift in our mindset — from incident response to prevention, from talking about security to doing security — setting aggressive but achievable goals to make the federal government a leader in cybersecurity, and improve software security and incident response.
Federal departments and agencies are aligning our actions and resources to mirror this shift. The executive order reflects lessons learned from recent cyber incidents and addresses many actions that we’ve deferred for far too long. I’ll take a few moments to highlight a few key elements of the executive order.
First, this executive order protects federal networks. Following the SolarWinds incident response, we were confronted by the hard truth that some of the most basic cybersecurity prevention and response measures were not systemically rolled out across federal agencies. So we identified a small set of high-impact cyber defenses that, when implemented, make it harder for an adversary to compromise and operate on a hacked network.
Tools like multi-factor authentication, encryption, endpoint detection response, logging, and operating in a zero-trust environment will be rolled out across government networks on a tight timeline as you’ll see in the EO.
Second, the executive order improves the security of commercial software in three key ways. First, by establishing baseline security requirements based on industry best practices. We wouldn’t build a building in an earthquake-prone zone without building standards. And we need standards for how we build software securely. We defined the initial standards in the EO and established a process for (inaudible) industry input to put those in place.
Second, we use federal buying power to jumpstart the market for secure software by requiring that all software we buy meet these standards in nine months.
Today, it’s hard for someone buying software to know how secure it is, so the executive order requires companies to do vulnerability scans and make those available to customers regularly.
We’re working to bring visibility to the security of software, akin to the way New York brought visibility to cleanliness in New York City restaurants by requiring restaurants to post simple ratings like A, B, C, or D regarding the cleanliness in their windows. Visibility matters.
The EO will also help drive the market to secure products by giving consumers visibility, as I said, into what they’re buying.
Singapore has built the Cybersecurity Labelling initiative for Internet of things connected devices. That’s a great starting point for the United States. So, the EO directs NIST to develop a similar program and to work with the private sector and other agencies to find ways to encourage manufacturers to participate.
This program will touch consumers in a meaningful way. Today, for example, parents looking at two different video baby monitors have no way of knowing which is built more securely. This program will change that — giving the consumer insight while simultaneously rewarding the company that makes them more secure monitor with recognition in the marketplace.
The third way the executive order improves security of commercial software — sorry, third — even as we shift our mindset to prevention, we acknowledge breaches will happen and the EO outlines specific steps to ensure the federal government is in a position to respond quickly when they do and then learn from those incidents.
The executive order addresses barriers to information sharing before and during an incident. IT providers who sell to the government are required to report breaches and rapidly share cyber threat information with the federal government, which the government can then share broadly to protect all Americans.
Federal agencies can’t defend what they can’t see, so removing barriers to information sharing regarding threats and incidents is a fundamental first step to preventing breaches in the first place and empowering the federal government to respond when they do occur.
The EO also establishes a Cyber Incident Review Board that will convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity going forward. The Cyber Incident Review Board will have a private sector co-chair, referencing the administration’s focus on bringing in and partnering with the private sector on cybersecurity. We’ve modeled it on the National Transportation Safety Board used for airplane incidents.
Fundamentally — I’ll close and then look forward to your questions — this executive order is about taking the steps necessary to prevent cyber intrusions from happening in the first place; and second, ensuring we’re well positioned to react rapidly to address incidents when they do occur.
The executive order makes a significant contribution to modernizing our cybersecurity, particularly federal cybersecurity and software security — the software we all use. But I should stress that it alone is not enough. This will be the first of many ambitious steps the public and private sector must and will take together to safeguard our economy, security, and the services on which the American way of life relies.
So, with that, I look forward to your questions, and — and I’m happy to engage with you on the executive order.
SENIOR ADMINISTRATION OFFICIAL: Great. Thank you. We’re ready to open the line for questions now.
SENIOR ADMINISTRATION OFFICIAL: David is always going to be first.
Q Oh, hardly, but thank you for doing this. So this always — because of the environment in which you’re bring this out — after SolarWinds, and after the hacking attack, and then, of course, Colonial — there’s some question about what it’s designed to protect against and what it isn’t. And you hinted at this when you said this sets some baseline standards.
But at the same time, I don’t think anybody expects that these would necessarily help you against a dedicated state actor or even a really sophisticated ransomware actor, but maybe it would.
So could you tell us a little bit about what you think the limits of the authority are in your ability to go do this: what you would need Congress to be able to do if you wanted to go considerably further?
SENIOR ADMINISTRATION OFFICIAL: Absolutely. So you asked a lot of nested questions in there, David, so I’ll get started, and we’ll see what we hit.
So, first, yes, we — you know, we looked at the immediate incident that just occurred, but then, more broadly, and said, “What are the foundational reasons why incidents occur?”
So, as we looked, for example, at SolarWinds, you know, we saw the way the SVR compromised SolarWinds in the way they built software. And we said, fundamentally, building software, like building a building, must be done with standards on networks that are segregated, where users have to use multi-factor authentication to log in.
So we zeroed in on the way software is built as a key way to ensure supply chain attacks are harder. And you’ll see both — and we wanted to do so in a way that clearly set the groundwork by including what needed to be in the standard in the EO, but also created a process to bring in the private sector to refine that.
So both elements of that were done to create the — first, bring in the private sector, and then say, “And, oh, by the way, we’re going to use the power of federal procurement to jumpstart this market because everything we buy has to be built securely, beginning in the — beginning in a short timeframe.” So that’s one key way.
The second key thing we saw was that, because the U.S. government doesn’t (inaudible) about incidents — and, as you know, there’s been various discussions on the Hill regarding mandatory breach notification — it’s hard to learn from each incident and ensure that, broadly, government and companies have information to protect themselves.
So we’ve pushed the authority as far as we could and said, “Anybody doing business with the U.S. government will have to share incidents so that we can use that information to protect Americans more broadly.”
And then, the third thing I would note is the federal government needs to be a leader in this space. And we all know cybersecurity — folks look at it and go, “It’s hard. It’s costly.” So we picked five specific things that we said are — makes life significantly harder for a hacker to hack or — like encryption — if they do hack, it’s far harder for them to use the data because the data is encrypted.
And we said, “We’re going to roll those out across the federal government in a tight timeframe as you see in the EO — encryption rolled out in six months. If not, a waiver required that has to be approved at — by the NSC.” Right? Some — so pretty serious.
And what we’re trying to do there is show companies, state, and local: Focus on these five things. They’re usually impactful and, much as we get them done, you can get them done. And follow our lead and move out there.
Q Yeah. Hi. Thanks so much for doing this today. I wanted to ask you how you view the impact of this EO looking forward. To what degree do you think it’s going to improve the government’s ability to detect breaches like the SolarWinds breach? I know there’s various elements here, including the breach disclosure, as well as the software bill of goods. But when you look at this EO and you look forward, just how much do you think it’s going to actually help the government find these breaches quickly?
SENIOR ADMINISTRATION OFFICIAL: I think it will have significant impact because it requires technology like endpoint detection, logging, and multi-factor authentication to be rolled out within six months on some of those, and other tight timelines on the others.
So, fundamentally, what we saw on SolarWinds was that federal government cybersecurity was not at the level needed to detect attempts to intrude and to rapidly find those that are successful. So I think that’s why we picked these specific technologies. So endpoint detection, right? An agent deployed on computers servers that is actively looking for malicious cyberactivity and, when finding it, rapidly flagging, blocking. So when — I think, fundamentally, it will have a significant, significant impact in reducing the risk of incidents.
SENIOR ADMINISTRATION OFFICIAL: I just want to make — and while you open that line — that everybody has seen the Colonial Pipeline announcements. It’s something we’ve all worked very hard on the last number of days and a tribute to Colonial for their work on this as well. So I want to make sure we flag that for everybody here.
Q Okay, thank you. That’s a great segue to my question. Thank you. Can you talk about what you would like to see Congress do with some of these ideas for companies that are not contractors? (Inaudible) the executive branch can’t just use its procurement authority?
Would you support Congress expanding some of these information-sharing and breach-reporting requirements to a broader set of private companies, perhaps starting with critical infrastructure, such as Colonial, given that they have not — or, as of yesterday, they had not shared information with CISA about this breach?
SENIOR ADMINISTRATION OFFICIAL: So, absolutely. First, as you correctly noted, Eric, we worked hard to find the best way to be — to set aggressive and achievable efforts within what could be achieved in an executive order; and really to, you know, pilot all of these different efforts that have been discussed for a while; and to use, as you noted, the power of federal procurement to say, “If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.” Right?
Because that not only benefits the government, it — we’re all using the same software. Right? We’re all using Outlook email. We’re all using Cisco and Juniper routers. So, essentially, by setting those secure software standards, we’re benefiting everybody broadly.
I think that that gives the Hill the opportunity to look at the things we’ve put in place here, the five cybersecurity efforts we’re rolling out across the federal government. The secure software standards. A labeling program, right? Piloting a labeling program, much like ENERGY STAR does for energy efficiency. And certainly the — building software certainly and requiring companies to scan their code and make available the results so that customers can actually compare — right? — the relative security of products and say, “No, I want to buy the more secure one.” Which is a huge market advantage.
Right now, there’s no way to assess security in the market, so there’s no way to say, “Hey, I’ll pay a little more” and to incentivize the market.
So I think looking at a number of those efforts gives the Hill the opportunity to say, “Which of these should be applied more broadly? And where is there additional authorities needed?” And critical infrastructure is one area where, you know, it’s private-sector owned and the private sector makes individual decisions regarding cybersecurity. So there’s a number of efforts here that really set the — set the goal lines that folks can look to.
Q Hey. My question is on that information sharing. Can you talk a little bit more about that? What exactly do companies need to share when an incident happens? How quickly do they need to share it? But can you just expand on that a little bit, please?
SENIOR ADMINISTRATION OFFICIAL: Absolutely. So companies need to share information about the incident: the vulnerability, what occurred. We’re really focused on information that’s important to be used to get out information to better help other entities defend themselves.
And CISA will be leading an effort to really solidify those details and define the thresholds of what needs to be shared for specific incidents, but it needs to be shared within specific timelines on a sliding scale based on the severity of the incident. What we were trying to do was really — you know, as you’ll see throughout the executive order, is really balance security value, and an effort to ensure that everybody puts their efforts on the most impactful things.
So we outlined the left-to-right boundaries of what needs to be done, put enough detail to get it started, and then asked individual agencies — whether it’s NIST for software development standards; or CISA, in this case, for sharing incident information — to put in place the specifics in a — on a tight timeline. And then make sure the reporting is shared across relevant agencies, because that’s the second piece.
We’re really creating a common threshold across the federal government to say, “Let’s make sure that info is shared so all can defend themselves and all can get out information to private-sector stakeholders and others to enable them to defend themselves as well.
Q Hi. I know this executive order has been in the works for weeks. And, you know, given that the Colonial Pipeline incident is so recent, I’m assuming that none of — nothing from that incident was really factored into the executive order, but feel free to correct me if I’m wrong.
And then the second part of my question is, some people on the Hill, and even the chairman of FERC — the Federal Energy Regulatory Commission — have called for regulations of the pipeline industry in light of the incident. I’m wondering if you and the White House support such regulations and what more you hope to do, policy wise, on the pipeline issue. Thank you.
SENIOR ADMINISTRATION OFFICIAL: Got it. So three questions there. First, we’ve been working on the executive order pretty much since, you know, week two of the administration. When we came in and, you know — looking at — many of us have, you know, background in this space and said, “What’s causing these incidents?”
And to your point about how Colonial is factored in: The the same things that caused a SolarWinds, that caused an Exchange, cause Colonial — right? — which is cybersecurity technology not being rolled out to meet the threat, inadequate visibility of the network.
So that’s really what we — you know, we’re focused on addressing. And, you know, Colonial, fundamentally, was an IT incident, and this executive order will make IT software more secure. And because the U.S. government uses SCADA software, any SCADA software sold to the U.S. will have to meet the standards referenced in the executive order.
So that’s some of the ways that we were really creative, you know, and tried very much to shape that next — shape the software market using the power of federal procurement.
And to your final point about regulatory gaps: It’s certainly an area, as we now take a deep breath and look back at Colonial — much as we’ve done for other incidents that occurred — we now will look back at that and say, “What more may be needed in this space?”
I’ll take the opportunity to note: You may have seen the administration, in mid-April, launched the Industrial Control Systems effort to, you know, within a public-private framework — because critical infrastructure is privately owned — strongly work with the sectors to strongly encourage companies to roll out the sensors, the visibility to detect and block malicious cyber activity. And certainly, we’ll be doubling down on that effort now with the various critical infrastructure sectors since I think everybody has a greater sense of urgency about ensuring such efforts are in place.
Q Hi, thank you for taking my question. I’m curious if you can talk a little bit more about how this incident review board will be set up, what’s the timeline, how the private sector chair will be chosen — just any more details you can provide about that.
SENIOR ADMINISTRATION OFFICIAL: Absolutely. So, much like I noted earlier, we highlighted a few parts of it in the — of how it’s stood up in the executive order. And then (inaudible), you know, asked that first effort occur, and then we’ll learn by that.
So, first, it’s set up by DHS, under its CIPAC authorities, which, as you know, allows DHS to bring together private-sector entities. It’s co-chaired by the Secretary of DHS and a private sector leader. It includes the Department of Defense, NSA, the Department of Justice.
I expect that we’ll pick the private-sector leader based on the specific incident that occurs. So, for example, if it’s a– if it’s a SCADA incident, it probably will be somebody with deep understanding of SCADA critical infrastructure. If it’s a — an issue that we experienced with the commercial software, it may well be an entity who has deep insight in that area. And that will be the way we work through that.
They will do their tasks to do their first effort as a review of SolarWinds and deliver their first report on SolarWinds, along with recommendations of how to solidify the board so that — and this is really the goal — that every major incident that occurs, we have a thoughtful way of reviewing it and learning from it.
SENIOR ADMINISTRATION OFFICIAL: Thank you, everyone. That’s going to conclude the call for today. A reminder that today’s call is on background, attributed to an “SAO,” and will be embargoed until 6:30 tonight.
With that, we’ll conclude.
SENIOR ADMINISTRATION OFFICIAL: Thank you, everyone. Good evening.
6:00 P.M. EDT