President Joe Biden signed an executive order May 12 to strengthen the country’s cybersecurity defenses following several far-reaching cyberattacks in the past year. The order, Improving the Nation’s Cybersecurity, comes on the heels of the recent Colonial Pipeline breach, which caused a temporary gasoline shortage across much of the East Coast, and last year’s SolorWinds data incident that jeopardized as many as 18,000 companies nationwide including nearly 40 military contractors, according to the United States Department of Defense.
The executive order does a few things. First, it requires IT service providers that have contracts with the federal government to tell the government about cybersecurity breaches that could affect U.S. networks. It calls for the creation of a standardized playbook of federal responses to cyber incidents. It mandates that software developers that sell their products to the government share their software bill of materials, essentially an ingredients list of what makes up their software, publicly. It establishes a Cybersecurity Safety Review Board comprised of both public- and private-sector officials, which will convene after cyber incidents to evaluate and make recommendations on the situation.
Additionally, it pushes the government to upgrade to more secure cyber infrastructure and to utilize tools like multifactor authentication and encryption, and also a zero-trust system where no one has the master key to all available data.
Data incidents have been widely reported in recent years. New Jersey based businesses Wakefern Food Corp. and Cognizant both revealed incidents in 2020, and New Jersey received approximately $70,000 and $98,000 in December for data breach settlements with Sabre Hospitality Solutions and CafePress Inc., respectively. Since the onset of the pandemic, cyber attacks have gotten more consistent, with the Federal Bureau of Investigation reporting that cybercrimes were up last summer more than 400% compared to pre-pandemic numbers. Health care compliance analytics platform Protenus Inc. said in its 2021 Breach Barometer report that health care industry breaches jumped 42% due to the pandemic. And as the health care industry battled the COVID-19 pandemic, hacking incidents increased by 42% from 2019, a March Protenus report found.
So why now?
“Without getting political, one of the sources is Russia, and when you have had an administration that was not willing to investigate these sources … It’s not just Russia, its China, its North Korea, and by the way, it’s also U.S.-based, and it might not be a nation-state actor, it might be someone who just wants money,” explained Michelle Schaap, member of the privacy and data security and corporate and securities law groups at Chiesa Shahinian & Giantomasi PC in West Orange.
The emphasis on cybersecurity has to start from the top. “If the CEO doesn’t care, the rank and file aren’t going to care. By issuing an executive order, this is starting at the top, saying ‘we at the White House take this seriously,’” Schaap said. “We can’t have this on the back burner. This is the future of warfare. It’s much easier to launch ransomware than it is to launch [a missile].”
Jaideep Vaidya, professor and management science and information systems department vice chair at Rutgers, called cybersecurity – or the lack thereof – a national challenge, noting that incidents occur with regularity. “What we’ve seen, more and more, the challenges are increasing,” he said. “It’s not just attacks by a single actor, there could be organized mafia, state attacks, and ransomware is becoming a big business. Now, the CEO has admitted to paying the ransom of Colonial Pipeline attack, and more bad actors are getting enthused about the opportunity. What we need is leadership, and from President Biden, we seem to have gotten that.”
In New Jersey, more than 323,965 government contracts were awarded to the state’s 6,994 government contractors in 2019, and each of which would be directly affected by Biden’s cybersecurity executive order.
Two of the biggest defense contractors in the country, Lockheed Martin and Harris Corp., both have large presences in the Garden State. Overall, government contracts are big business here, totaling $7.2 billion in awards in 2019 alone. From 2000 to 2019, the million-plus contracts awarded to New Jersey businesses totaled $106,403,158,051.
Getting into compliance with the executive order will be an easier lift for some businesses than others, Schaap explained.
Department of Defense contractors are likely up to speed, and vendors dealing with HIPAA likely are close to the target. For smaller businesses, though, the task will be more difficult.
“It ain’t cheap, but that doesn’t mean it shouldn’t be done, and it’s about time it’s been done,” she said. The executive order is currently open for public comment, and Schaap suggests that small business owners who wish to continue to receive bid opportunities for federal contracts comment so the rules aren’t written in a way that could write them out of said opportunities.
“Regardless of whether you’re engaging with the federal government or not, this is something you should be thinking about,” Vaidya said.