Biden administration scales up efforts to safeguard national security systems, DoD, intelligence community

U.S. President Joe Biden released on Wednesday a National Security Memorandum (NSM) that works on bolstering the cybersecurity of national security systems, Department of Defense (DoD), and the intelligence community systems, building on Executive Order (E.O) 14028, Improving the Nation’s Cybersecurity, released in May last year. 

The U.K. government also announced on Wednesday that new laws are needed to drive up security standards while making improvements in the way organizations report cybersecurity incidents and reforming legislation.

The U.S. NSM specifies how the provisions of EO 14028 apply to national security systems, improves visibility of cybersecurity incidents that occur on these systems, requires agencies to act to protect or mitigate a cyber threat to these systems, and secure cross-domain solutions and tools that transfer data between classified and unclassified systems.

The May 2021 Executive Order required that the government ‘shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order.’ Consistent with that mandate, the NSM ‘establishes timelines and guidance for how these cybersecurity requirements will be implemented, including multifactor authentication, encryption, cloud technologies, and endpoint detection services.’ 

The memorandum pushes agencies to adopt the zero-trust architecture while developing appropriate implementation plans, widespread cryptographic interoperability, minimum security standards and controls related to cloud migration and operations, implement multifactor authentication and encryption, and develop a framework to coordinate and collaborate on cybersecurity and incident response activities. 

The NSM calls upon national security systems to adopt the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration’s work ‘to protect our Nation from sophisticated malicious cyber activity, from both nation-state actors and cyber criminals,’ according to a Fact Sheet released by the White House. It also provided agencies with six months’ time to identify any instances of encryption not in compliance with NSA-approved quantum-resistant algorithms or CNSA (Commercial National Security Algorithm).

Agencies are also required to identify their national security systems and report cyber incidents that occur on them to the National Security Agency (NSA), which by the prior policy is the ‘National Manager’ for the U.S. government’s classified systems. The action will improve the government’s ability to identify, understand, and mitigate cyber risk across national security systems. In this capacity, the NSA will also create binding operational directives that require agencies to take specific actions against known or suspected cybersecurity threats and vulnerabilities. 

The directive is modeled on the Department of Homeland Security’s binding operational directive authority for civilian government networks. The NSM directs NSA and DHS to share directives and to learn from each other to determine if any of the requirements from one agency’s directive should be adopted by the other.

The NSM also requires agencies to secure cross-domain solutions, including tools that transfer data between classified and unclassified systems. Adversaries can seek to leverage these tools to get access to U.S. classified networks, and the NSM directs decisive action to mitigate this threat. The NSM requires agencies to inventory their cross-domain solutions and directs NSA to establish security standards and testing requirements to better protect these critical systems.

“We stand ready to fulfill our role, and our responsibility, in securing our nation against foreign malicious actors, and any efforts to exploit our national security systems,” General Paul M. Nakasone, Commander, U.S. Cyber Command, Director, NSA/Chief, Central Security Service, said in a media statement on Wednesday.

“The new authorities will provide us with the necessary cybersecurity visibility into our most important systems,” said Rob Joyce, NSA cybersecurity director and deputy national manager for national security systems. “This new insight will allow us to identify vulnerabilities, detect malicious threat activity and drive mitigations to better secure all national security systems.”

The NSM also called upon federal departments and agencies to modernize encryption protocols used on national security systems. 

“As the nation’s leader in cryptography, NSA will play a significant role in ensuring cryptographic interoperability among national security system users through cryptographic standards for use on NSS,” Gen. Nakasone said. 

“Today’s memorandum is a follow-up to the Executive Order released last year, and demonstrates that the administration’s strong commitment to cybersecurity continues,” Tim Erlin, vice president of strategy at Tripwire, wrote in an emailed statement. “It sets a number of additional and more specific deadlines for the NSA, DoD and the Intelligence Community systems.”

The memorandum touches on many aspects of the original executive order, including promoting zero trust architecture, implementing encryption, and improving data sharing about incidents, according to Erlin. “It may be difficult for the average person to parse what’s happening here, but these kinds of artifacts, memorandums and Executive Orders, are key components in effectively operationalizing broadly applicable policy changes,” he added.

Apart from the U.S. administration, the U.K. government also announced that new laws are needed to drive up security standards used by almost all U.K. businesses while making improvements in the way organizations report cybersecurity incidents and reforming legislation so that it is more flexible and can react to the speed of technological change. 

The U.K. government cited high-profile cyber incidents, such as the attacks on SolarWinds and Microsoft Exchange Servers, which showed vulnerabilities in the third-party products and services used by businesses can be exploited by cybercriminals and hostile states, affecting hundreds of thousands of organizations at the same time.

To improve security and help prevent such attacks, the U.K. government is aiming, through new legislation, to take a stronger approach to get at-risk businesses to improve their cyber resilience as part of its new £2.6 billion National Cyber Strategy. The government wants to update the NIS regulations and widen the list of companies in scope to include Managed Service Providers (MSPs) which provide specialized online and digital services. The NIS Regulations (network & Information Systems Regulations) provide legal measures to boost both cyber and physical resilience security levels for the provision of essential services and digital services. 

The U.K. government has launched a consultation on amending the NIS regulations to include managed services. It also requires large companies to provide better cyber incident reporting to regulators such as Ofcom, the UK’s communications regulator, Ofgem, the U.K.’s Office of Gas and Electricity Markets, and the ICO (Information Commissioner’s Office), including a requirement to notify regulators of all cybersecurity attacks they suffer. The ICO is the U.K.’s independent authority set up to uphold information rights.

The U.K. government also invited proposals that give it the ability to future-proof the NIS regulations by updating them and if necessary bring into scope more organizations in the future which provide critical support to essential services. It also intends to update the regulatory regime so the most critical digital service providers in the economy have to demonstrate proactively they are following NIS Regulations to the ICO, and take a more light-touch approach with the remaining digital providers. 

Stakeholders have been asked to respond by Apr.10, this year to a proposal for legislation to improve the U.K.’s cyber resilience. Apart from this, the U.K. government also published a separate consultation on embedding standards and pathways across the cyber profession by 2025. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.