If you live on the East Coast and tried to get gasoline last week, you already know firsthand of the impacts that a cyber incident can wreck on the supply chain. As a result of the Colonial Pipeline cyber incident, a ransomware attack that led to the six-day shutdown of a key pipeline for gasoline, diesel and jet fuel, the East Coast experienced widespread gas station outages. According to CNN, impacts from the attack are anticipated to continue through Memorial Day. Specifically, the 5,500-mile pipeline flows at five miles per hour and they anticipate it could take weeks to refill the nearly empty storage caused by the cyber-initiated stop. Readers of this blog have seen a number of our reports on the increasing number and scope of threats to the supply chain being posed by cyber criminals, terrorists, nation states, and nation state actors. However, experiencing the long lines and closed gas stations brings home in a very personal way the criticality of protecting our nation’s infrastructure against cyberattacks.
In the wake of the shutdown, a $5 million ransom was paid to the hackers, DarkSide. NBC News reported that the White House’s deputy national security adviser for cyber and emerging technologies apparently acknowledged that companies’ paying ransom to the criminals may be in their best interest. However, that same source reported that the White House’s advice remains that victims do not pay the ransom. This advice is consistent with advice issued during the Trump Administration by the Department of Treasury Office of Foreign Assets Control (OFAC), which issued an advisory on October 1, 2020 stating that paying ransom to bad actors may violate OFAC regulations and lead to sanctions. Government contractors and those in their supply chain that violate OFAC regulations may be debarred, suspended or other otherwise ineligible to receive government contracts, subcontracts, grants or agreements if they violate OFAC sanctions. OFAC will “consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.” These various positions leave companies not knowing which way to go if they suffer a cyberattack.
On May 12, 2021, President Biden issued a twenty-one page Executive Order on Improving the Nation’s Cybersecurity (EO), with the apparent intent of establishing a path for securing the supply chain and addressing cyber vulnerabilities and incidents. The EO states that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority” and it seeks to address the cybersecurity of not only government and government contractors, but also the consumer public. The EO addresses five main areas: (1) removing barriers to sharing threat information; (2) moving towards Software Bills of Material (SBOMs) and Zero Trust Architecture and establishing standards and procedures to modernize federal cybersecurity; (3) establishing a public-private Cyber Safety Review Board, akin to the National Transportation Safety Review Board, to review and assess significant cyber incidents and provide follow up recommendations; (4) improving detection of cybersecurity vulnerabilities and incidents on Federal government networks; and (5) adopting additional requirements for National Security Systems.
(1) Removing barriers to sharing threat information
A significant focus of the EO is on collecting and preserving information in the hands of information technology (IT) and operational technology (OT) services providers in the Federal supply chain. However, the EO seeks to collect information beyond that which would normally be covered by contract scope and activity-focused provisions, by seeking the development and implementation of new regulations to require IT and OT services providers to “collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control.” Emphasis added. This direction would include not only requirements for systems operated on behalf of federal agencies, but also the contractor’s other systems “over which they have control.” Significantly, the EO also would seek recommended provisions to require what could become an unlimited responsibility on the part of service providers to share their data, information, and reporting as “relevant to any agency with which they have contracted … and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies.” Emphasis added. Since privacy laws and regulations include national security exceptions, this could become a very broad mandate indeed. The EO also would require service providers to “collaborate” with federal agencies in investigations and responses to actual or potential incidents on Federal information systems, including monitoring networks for threats in collaboration with agencies they support.
The risk here is that an overbroad provision will require that too much information be collected and will overburden the system. Given limitations on government resources for analysis and action, too much information may lead to delays in the identification of truly significant information. Finding a balance to ensure that the right kinds of information are identified and shared, and that this does not merely become an exercise of garbage in, garbage out, will be imperative. Under the EO, the FAR Council is charged with publishing “proposed updates to the FAR” for these purposes within 90 days of its receipt of the recommendations of the designated government entities.
(2) Moving towards SBOMs and Zero Trust Architecture
Many of the threats and incidents reported in recent years have arisen because of flaws or malware that are baked into the software and systems being used to carry data. This portion of the EO would address this situation in part by developing guidance and standards and moving to implementation of Zero Trust Architecture. The EO broadly defines Zero Trust Architecture in the definition section of the EO as follows:
The term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminated implicit trust in any one element, node, or service and instead requires continuing verification of the operational picture via real-time information from multiple sources to determine access and other system response. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. ….
The definition goes on. The intent to ensure restricted access and continuous surveillance to make things safer is understandable. However, the risks here are that the systems put in place to provide this safety may themselves be too intrusive, or that they may be susceptible to compromise and used as a vehicle to compromise the systems they would monitor and protect. Thus, the devil will be in the details of how this concept may be implemented.
SBOMs are a concept that has been discussed for quite a while, but implementation in the past has been elusive. BOMs are traditionally used in major weapon system procurements to ensure that such systems only use qualified products and components and are manufactured and maintained to maximize the integrity of the system, as well as its safety and security. Requiring the provenance of software being used or incorporated into government systems makes good sense. Software may be created anywhere, and include software bytes and pieces from open sources and others that are susceptible to compromise.
(3) Establishing a public-private Cyber Safety Review Board
The National Transportation Safety Board is a well-known group that swoops in when an accident occurs to assess root causes and render recommendations to respond to significant transportation issues. Analogously, the EO seeks to establish a Cyber Safety Review Board to review and assess “significant cyber incidents” affecting not only Federal systems, but also “non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.” The intent is to appoint a Board comprised of Federal officials and a member of the private sector. Others may be invited to participate on a case-by-case basis. Key to its success will be the designation of persons with sufficient knowledge and experience.
(4) Improving detection of cybersecurity vulnerabilities and incidents on Federal government networks
The EO would establish a standardized set of responses and processes for cyber vulnerabilities and incidents to “ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress.” The plan includes defining key terms and a shared lexicon among agencies. Anyone who has been involved in a cyber tabletop exercise or actual cyber incident investigation knows that different agencies have different protocols and contacting the right government officials to report and to obtain direction may be challenging. Developing lines of authority and a set of best practices for agencies to apply would be beneficial.
(5) Adopting additional requirements for National Security Systems
The EO does not go into detail on this point. However, the intent appears to be to include additional requirements to coordinate requirements for the safety and security of National Security Systems through codification of a National Security Memorandum.
The EO borrows in large part from EOs, policies, concepts and activities that have been issued or identified over the past decade or longer. However, it does so in a more expansive way. The intent appears to be to create a forcing mechanism to develop increased cybersecurity throughout not just the Federal sector and supply chain, but the general public. The directives contained in the EO will need to be implemented through formal rulemaking. While the EO anticipates going through a public notice and comment process, receiving and revising its regulations based on public comment, there is little doubt in this author’s mind at least that the Administration’s activities to implement this EO will be set in motion long before that rulemaking is completed and final regulations are issued. Contractors should be tracking these developments and considering whether and to what extent to submit comments. The aim here should be to facilitate final implementation of a set of regulations and requirements that is executable and not overly intrusive.
We are tracking developments in this area closely. If you have questions about this blog, or other government contracting matters, contact the author or your Stinson counsel.