The Biden administration has outlined its plan to address US government security in the wake of attacks on SolarWinds’ Orion platform and Microsoft Exchange, with closer private sector collaboration the centerpiece of its response.
The administration revealed its plans in a transcript of phone briefing call staged between members of the press and a speaker identified as a “senior administration official.”
“Today, the cost of insecure technology is borne at the end: by incidence response and cleanup. And we really believe it will cost us a lot less if we build it right at the outset,” said the anonymous official, who added that the administration wants to prioritize security in the way the US builds and buys software, while balancing innovation and security.
One solution the administration flagged is a cybersecurity ratings scheme that grades vendors. The official specifically cited Singapore’s cybersecurity ratings for IoT devices as a model for future US practices that will soon be detailed in executive actions.
The administration has also invited members of the private sector to participate in its National Security Council-led Unified Coordination Group. The software security task force was always able to include private entities, however this is the first time it will do so.
A Code War has replaced The Cold War. And right now we’re losing it
“We are focused on tightening the partnership between the US government and the private sector, who does have visibility into the domestic industry and into private sector networks, to ensure we can rapidly share threat information and we can address the liability barriers and disincentives that disincentivize U.S. companies from both addressing some of these issues and rapidly sharing information when there are incidents,” said the official.
The official also described an intention to continue timely alerts and warnings of data breaches, citing the National Security Advisor’s first-ever tweet on a cybersecurity incident.
The un-named official also detailed the administration’s response to the Exchange and Solar Winds exploits.
“We’re in week three of a four-week remediation across the federal government,” the speaker said. “The compromised agencies all were tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure that we felt confident the adversary had been eradicated.”
“Most of the agencies have completed that independent review. For those who have not yet, they will complete it by the end of March.”
We’ve found significant gaps in modernization and in technology of cybersecurity across the federal government
“We’ve had regular Deputies meetings here at the White House on this topic — deputy heads of agencies, particularly the nine compromised agencies — and we’ve discussed the methodology throughout. In fact, we standardized the methodology for incident response based upon this.”
Those reviews and discussions have identified “significant gaps in modernization and in technology of cybersecurity across the federal government.”
Hence the new plans mentioned above.
The administration has not named anyone as responsible for the attacks on Microsoft Exchange, but has not disputed Microsoft’s assessment that its origins were in China. Russia remains the prime suspect behind the SolarWinds attack. ®