President Joe Biden on Wednesday signed a national security memorandum to bolster cybersecurity for sensitive computer systems used by the Pentagon and US spy agencies amid an array of hacking threats from foreign governments.
The White House said the measures would “[raise] the bar for the cybersecurity of our most sensitive systems,” and build on an executive order Biden signed last year to shore up federal IT security.
The memo requires agencies to adopt a series of key cybersecurity practices, including encryption and multi-factor authentication, and charges the National Security Agency with holding agencies accountable for their security shortcomings.
The memo is aimed at ensuring that defense and intelligence agencies report hacks that occur on national security systems to the NSA, the nation’s biggest spy agency. It also authorizes the NSA to issue “binding operational directives” that would force security agencies to take specific measures to protect their networks, along the lines of what the Department of Homeland Security’s cyber agency does for civilian agencies.
Biden has described cybersecurity as a “core national security challenge.” The executive order he signed in May came after a string of hacking incidents disrupted key US commodity and software suppliers last year. A ransomware attack last May, for example, forced Colonial Pipeline — the main fuel artery for the east coast — to shut down for days.
The Biden administration has also had to contend with far-reaching foreign espionage campaigns, including a months-long compromise of key federal agencies via SolarWinds software that the White House blamed on Russia’s foreign intelligence service.
While the so-called SolarWinds campaign appeared to primarily target civilian agencies, the Pentagon and its contractors have had to fend off persistent espionage from Russian, Chinese and other hacking groups for years, if not decades. A suspected Chinese hacking group has breached at least four US defense and technology firms as part of a global intelligence gathering effort, CNN reported in December.
Glenn Gerstell, former general counsel at the NSA, told CNN that the memo was a “continuation and clarification” of NSA’s responsibilities to protect sensitive government networks. “What’s especially critical is that now other agencies running classified networks have to tell NSA about hacks and NSA has the power to tell agencies how to protect their networks,” Gerstell said.
The memo also requires defense and intelligence agencies to match or exceed security requirements laid out for civilian agencies in Biden’s May executive order. To that end, it’s important to have “more synergy” between those requirements so that contractors that develop key technologies for both types of agencies know what is expected of them, said Grant Schneider, who was federal chief information security officer from 2018 to 2020.