Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Biden Order Will Require New Cybersecurity Standards In Response To SolarWinds Attack

Friday, April 30, 2021

Categories: ASCF News Cyber Security

Comments: 0

cybersolardownload (1)

The Biden administration is putting the final touches on an executive order aimed at helping the U.S. defend itself against sophisticated cyberattacks like the one Russian hackers recently leveled against Texas software-maker SolarWinds.

The order, which is still being drafted, lays out a series of new requirements for companies that do business with the government. The initiative includes plans for more systematic investigations of cyber events and standards for software development. The idea is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector.

"So essentially, federal government procurement allows us to say, 'If you're doing business with the federal government, here's a set of things you need to comply with in order to do business with us,'" Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House, told NPR in an exclusive interview.

She says the executive order will "set the goal, give it a timeline and then establish the process to work out the details" on a handful of cybersecurity initiatives, from setting up new ways to investigate cyberattacks to developing standards for software.

The effort is all part of the administration's response to a recent cyberattack on a Texas software company called SolarWinds. Hackers linked to Russian intelligence compromised one of the company's routine software updates and used that access to break into about 100 top U.S. companies and about a dozen government agencies. The hackers roamed around the networks for nine months before they were finally discovered. It is still unclear whether this was merely an espionage operation or a precursor for something more sinister.

The hack itself was sophisticated and stealthy. The intruders used novel techniques and exploited gaps in the nation's current cybersecurity systems.

Among other things, the attack was launched from inside the U.S. on servers the Russians had rented from places such as Amazon and GoDaddy. By doing that, the hackers were able to slip past National Security Agency early warning systems because the NSA is not allowed to conduct surveillance inside the United States.

"We did a detailed study of SolarWinds and it showed that we have major work to do to modernize our cybersecurity ... to reduce the risk of this happening again," Neuberger said. "And the upcoming executive order is a big part of that."

"It's nobody's job ... to tell us what happened"

Among other things, the draft order includes something similar to the National Transportation Safety Board, or NTSB, for cyber. Just as the NTSB inspects the wreckage of a plane and recovers black boxes to see if the crash requires a systematic fix, a cyber NTSB would potentially paw through code and data logs to discover the root causes that permitted a successful cyberattack.

"What can we learn with regard to how we get advance warning of such incidents?" Neuberger said. "What allowed it to be successful? Potentially, what allowed it to be broad, if it was, which sectors were affected? Why?"

Alex Stamos is the former chief of security at Facebook. Now he runs the Internet Observatory at Stanford University and says that one of the problems with the country's overall cyber strategy is that there is no one in charge of looking at the big picture. An NTSB for cyber would provide some of that.

"You have the FBI, which is deeply involved in the incident response, but they are there to enforce the law. It's not their job to come up with conclusions for the entire society," he said. "You have DHS's CISA, the Cybersecurity Infrastructure Security Agency, their job is to work on defense. So they're probably the closest of the agencies to this, but they don't have any investigative powers. So we're in this weird position where it's really nobody's job ... to tell us what happened."

Neuberger says the executive order seeks to address that by creating more transparency. "If you or I are going out to buy network management software like SolarWinds and we want to buy the software that is most secure, we have no way of assessing which that is," she said. "And as a result, we have no way of saying, 'you know what? I'm willing to pay $5 more for the more secure software because I don't want to bring more risk into my network.' "

Neuberger said that the administration can remedy that by defining a set of requirements for the way software is built. Federal contractors will have to prove that they have secure practices like separating where they develop software from the internet, and things like requiring proof of multifactor authentication. The administration is trying to change the way we all think of code: It isn't just zeroes and ones — it is critical infrastructure.

"The key here is we can't just expect companies to be motivated to build secure software because it's the right thing to do," said Kiersten Todt, managing director of the Cyber Readiness Institute and a former Obama adviser on cyber issues. "Government has to be working with these companies to tell them what secure software looks like and give them the resources, and incentivize them to do so."

She says consumers have a role to play, too. "If we start incentivizing security, then companies [and] the market will then inherently prioritize it because more people will buy the product," she said. "So there is a very much of a multi-stakeholder collaboration that has to happen here."

And an executive order alone won't do that.

"I think it's a first step," Todt said. "It's definitely not the Holy Grail. It's not a destination. It's the departure point."

Notification required

Another perennial issue is that when companies are hacked in the U.S., a lot of them keep it to themselves. The revelation of a cyberattack often affects confidence, share prices and reputation.

The executive order is seeking to change that. Neuberger said federal contractors will be required to be more open about attacks. "If you're doing business with the federal government, then when you have an incident, you must notify us quickly," she said. "Because we'd like to take that incident and ensure that the tactics, techniques and procedures, the information is broadly shared," she said. Then other companies, presumably, would follow their lead.

The chairman of the Senate Intelligence Committee, Sen. Mark Warner, told the U.S. Chamber of Commerce this week that he's working on a bill that will likely include some sort of "mandatory reporting" of cyber incidents and public-private cyberthreat intelligence sharing. He, too, said it was in response to the attack on SolarWinds.

But all this is easier said than done.

"The key is going to be in how each of these elements of the executive order are executed," Todt said. "And really how government is going to bring industry in to perform the functions to really look pre-event, middle of event, post-event and how we take those lessons learned and integrate them."

And while you may have never heard of SolarWinds or been affected by that attack, the connected world is increasingly vulnerable. And that is one of the messages the administration is trying to send.

"Cyberthreats loom large in a way that Americans feel," Neuberger said. "Can we trust our water, our power to be resilient? We see small companies being forced to pay a ransom to get their business back up and running. We see school systems' networks down due to criminals. So, those risks touch everyday Americans' lives."

The Biden administration has already leveled sanctions against Russia for the SolarWinds attack. And the White House has said there would be more "seen" and "unseen" responses to the breach. The unseen responses — for example, whether the Biden administration is preparing a reprisal attack against Moscow in cyberspace — was not something Neuberger was willing to talk about.

Photo: Anne Neuberger, the deputy national security adviser for cyber and emerging technology, says an upcoming executive order will strengthen U.S. cybersecurity, from setting up new ways to investigate cyberattacks to developing standards for software.
Saul Loeb/AFP via Getty Images

Link: https://www.npr.org/2021/04/29/991333036/biden-order-to-require-new-cybersecurity-standards-in-response-to-solarwinds-att

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.