The White House plans to release an ambitious strategy Wednesday to make federal agencies tighten their cybersecurity controls after a series of high-profile hacks against government and private infrastructure in the last two years, according to a copy shared with CNN.
It’s one of the biggest efforts yet by the Biden administration to secure the computer networks that the government relies on to do business.
Under the strategy, federal employees will need to sign on to agency networks using multiple layers of security and agencies will have to do a better job of protecting their internal network traffic from hackers. The strategy gives agencies until the end of the 2024 fiscal year to meet these benchmarks and others.
The overhaul was inspired in part by a 2020 spying campaign by alleged Russian hackers that infiltrated several US agencies and went undetected for months, leaving US officials frustrated at their blind spots. The hackers tampered with software made by federal contractor SolarWinds, among other tools, to sneak onto the unclassified networks of the Departments of Justice, Homeland Security and others.
The strategy, which will be released by the Office of Management and Budget, was born out of a cybersecurity executive order that President Joe Biden signed last May in the wake of the breaches to federal networks and a ransomware attack on a major US pipeline operator.
The strategy seeks to apply a cybersecurity concept known as “zero trust,” which is popular at big corporations, to the federal government. “Zero trust” dictates that no computer user or system inside or outside an organization is inherently trusted. Continuous security checks are needed to ensure that hackers aren’t impersonating someone, and systems should be isolated when possible to keep malicious code from spreading.
One of the more demanding parts of the strategy is a requirement that agencies have a “complete inventory” of every electronic device on their networks.
It’s also an effort to set cybersecurity policy around goals and outcomes, rather than checklists.
“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” National Cyber Director Chris Inglis said in a statement.