President Biden has granted the National Security Agency (NSA) new powers to bolster the cybersecurity of US federal government computer systems related to national security.
A memorandum issued by the White House yesterday (January 19) also sets out new obligations for federal agencies and timelines for meeting them.
As prescribed by an executive order signed by Biden in May 2021, the measures will, “at minimum”, ensure that national security, Department of Defense (DoJ), and intelligence community systems adhere to the more stringent cybersecurity measures already in place for federal civilian networks.
Federal agencies have been instructed to identify their national security systems and report security incidents affecting them to the NSA, the DoJ’s intelligence agency.
Mark Warner, Democrat senator for Virginia and chairman of the Senate Select Committee on Intelligence, urged Congress to build on this measure by passing pending bipartisan legislation requiring critical infrastructure operators to report cyber-attacks within 72 hours.
The legislation was drafted in the wake of the SolarWinds and Colonial Pipeline hacks.
The directive also includes guidance on the use of multi-factor authentication (MFA), encryption, zero-trust architecture, and endpoint detection services.
Binding operational directives
The memo authorizes the NSA to issue ‘binding operational directives’ that oblige operators of national security systems “to take specific actions against known or suspected cybersecurity threats and vulnerabilities”, reads a fact sheet.
These powers are modeled on those already wielded by the Department of Homeland Security (DHS) in relation to civilian government networks, with one recent DHS directive ordering agencies to mitigate the far-reaching Log4j vulnerability.
The memorandum also requires that federal agencies inventory and bolster the security of ‘cross-domain solutions’, which transfer data between classified and unclassified systems.
“I’d stake good money that this is not purely proactive,” tweeted Jake Williams, founder and president of cybersecurity firm Rendition Infosec. “You rarely see discussion of cross domain solutions (e.g. unclassified to classified) and for it to be called out so clearly in a public EO says something (just not sure what).
“For the record, I recognize it may just be saying ‘we recognize this could be an issue and are trying to get a handle on it now’. But if that’s the case, not sure you need a public EO to do it. Wondering if this has some signaling value as well?”
Agencies have also been instructed to identify “instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms or CNSA”, prompting Johns Hopkins University professor and cryptographer Matthew Green to tweet: “Looks like the US is getting serious about post-quantum crypto.”
‘Surge effort’
The directive caps a busy 12 months on the cybersecurity policy front for the Biden administration.
Among other measures, the White House has announced new rules on reporting ransomware payments, an overhaul of federal government software procurement practices, and plans to establish a blueprint for rapidly patching known, exploited flaws in federal systems.
Last week, the White House hosted a virtual summit dedicated to securing software supply chains.
The memo fact sheet also points to “a surge effort to improve cybersecurity across the electric and pipelines sectors which has resulted in more than 150 utilities serving 90 million Americans committing to deploy cybersecurity technologies, and we are working with additional critical sectors on similar action plans”.
