The White House said the measures would “[verhoog] the bar for the cybersecurity of our most sensitive systems,” and build on an executive order Biden signed last year to shore up federal IT security.
The memo requires agencies to adopt a series of key cybersecurity practices, including encryption and multi-factor authentication, and charges the National Security Agency with holding agencies accountable for their security shortcomings.
The memo is aimed at ensuring that defense and intelligence agencies report hacks that occur on national security systems to the NSA, the nation’s biggest spy agency. It also authorizes the NSA to issue “binding operational directives” that would force security agencies to take specific measures to protect their networks, along the lines of what the Department of Homeland Security’s cyber agency does for civilian agencies.
Biden has described cybersecurity as a “core national security challenge.” The executive order he signed in May came after a string of hacking incidents disrupted key US commodity and software suppliers last year. A ransomware attack last May, byvoorbeeld, forced Colonial Pipeline — the main fuel artery for the east coast — to shut down for days.
The Biden administration has also had to contend with far-reaching foreign espionage campaigns, including a months-long compromise of key federal agencies via SolarWinds software that the White House blamed on Russia’s foreign intelligence service.
While the so-called SolarWinds campaign appeared to primarily target civilian agencies
, the Pentagon and its contractors have had to fend off persistent espionage from Russian
, Chinese and other hacking groups for years
, indien nie dekades nie. A suspected Chinese hacking group has breached at least four US defense and technology firms as part of a global intelligence gathering effort
, CNN reported in December
Glenn Gerstell, former general counsel at the NSA, told CNN that the memo was a “continuation and clarification” of NSA’s responsibilities to protect sensitive government networks. “What’s especially critical is that now other agencies running classified networks have to tell NSA about hacks and NSA has the power to tell agencies how to protect their networks,” Gerstell said.
The memo also requires defense and intelligence agencies to match or exceed security requirements laid out for civilian agencies in Biden’s May executive order. Met daardie einde in sig, it’s important to have “more synergy” between those requirements so that contractors that develop key technologies for both types of agencies know what is expected of them, said Grant Schneider, who was federal chief information security officer from 2018 aan 2020.