White House, Congress Aligned on Cybersecurity Goals
WASHINGTON – As Congress edges closer to putting a final infrastructure bill on President Joe Biden’s desk, it looks like lawmakers and the White House are aligned in their commitment to bolster U.S. cybersecurity through increased federal investment, focusing on prevention and utilizing public-private partnerships to establish baseline standards.
With the pandemic strong-arming both public and private sectors to “shift operations online,” the global health crisis has “exponentially expanded the surface area for cyberattacks,” said Rep. Yvette Clarke, D-N.Y, yesterday during an Information Technology Industry Council event on “Securing the Information and Communications Technology and Services Supply Chain.”
The continuous cyberattacks on essential companies like SolarWinds, Microsoft Exchange and Colonial Pipeline have “blurred” the lines between cybersecurity and the security of physical assets, Clarke said. The first steps of defense begin with “effective information sharing between government and the private sector” to prevent the attacks from even happening, she urged, as these partnerships will “bring valuable industry perspectives.”
Brian Scott, director of critical infrastructure cybersecurity at the White House National Security Council, added that industry engagement has been a core element of Biden’s Executive Orders on cybersecurity. The ongoing engagement with stakeholders has resulted in the Department of Commerce’s expected direct investment of $75 billion for the private sector in domestic semiconductor manufacturing, and can be seen within Biden’s cybersecurity Executive Order 14028 on “Improving the Nation’s Cybersecurity,” which essentially calls for the federal government to partner with companies by the first paragraph.
Scott noted that the National Institute of Standards and Technology has been directed to consult with the private sector to come up with “specific guidance, identifying practices, standards, procedure and criteria of the software supply chain” and for software development by February 2022.
Behind drafting the order was the “need to shift our thinking from response to prevention,” he said.
Section 4 of the order, which Scott emphasized, focused heavily on the threat in the software supply chain. It aims to “improve the security of software by establishing baseline security standards for the development of software sold to the government,” Scott said, by requiring transparency by developers and applying a “change throughout the ecosystem” from the bottom up – building security into the product itself.
And software is another area that needs industry collaboration, as “[the order] stands up a concurrent public-private process to develop new and innovative approaches to secure software development and it uses the power of federal procurement to incentivize the market,” Scott said.
“By next March, [the Office of Management and Budget] will take action to mandate agencies to use software conforming to this guidance,” he said, referring to the guidance NIST has been directed to issue after it defines what is critical infrastructure and then couple with the nation’s cyber quarterback, the Cybersecurity Infrastructure and Security Agency, to “provide use and configuration guidance to [federal] agencies.” NIST also has 270 days to establish two pilot programs for product labeling over Internet-of-Things devices and software development to inform the public on security measures, he added.
Executive Order 140147, which preceded the latest cybersecurity order and was a “whole-of-government approach” to review the U.S. supply chains, revealed an issue that Scott said was already well-known: a shortage of semiconductors chips that run just about everything from smartphones to your televisions.
“Once a global leader in semiconductor production with robust public support, the U.S. has outsourced and offshored too much semiconductor manufacturing in the recent decades,” Scott charged. In the last 20 years, he explained, the U.S. went from manufacturing 37% of the world’s semiconductors to 12%.
Both Scott and Clarke said robust investment in bolstering domestic manufacturing of semiconductors and research and development is needed quickly. Executive Order 14028, Scott said, backs the administration’s efforts to “build back better to modernize defenses, return to the international stage on cyber issues with allies and partners, and be better postured to lead and compete globally.”
Thus, Biden’s American Rescue Plan, his American Jobs Plan and increased investment are “three critical investments” necessary in “the wake of the [cyberattacks],” Clarke urged, noting this was a bipartisan imperative on the Hill that she is prepared to lead.
This is a “once in a generation investment” that will “create jobs, rebuild our critical infrastructure” and allow the U.S. to be a global competitor again, Clarke continued. But it will come down to ensuring the U.S. is also building up the workforce it needs to be able to perform these jobs.
“The emerging landscape for warfare…is all cyber,” Clarke charged, and “the sooner that we embrace that understanding, the sooner we stand up a robust defense” with mitigation and detection strategies.