Six months after one of the largest cyberattacks in history, the White House will set up formal cyber investigations, require companies to report breaches and set software development standards.

Transcript

RACHEL MARTIN, HOST:

You might remember that just before President Biden took office, the U.S. discovered a massive Russian hack of a Texas software company called SolarWinds. Now the Biden administration plans to release an executive order to prevent future hacks. Dina Temple-Raston of NPR's investigations team spoke exclusively with the senior White House adviser in charge of the response.

DINA TEMPLE-RASTON, BYLINE: The U.S. hasn't had much of a strategy to battle cyber attacks. Anne Neuberger thinks it requires a change in the way we think about them.

ANNE NEUBERGER: We're working to shift our mindset from responding incident by incident to preventing them in the first place.

TEMPLE-RASTON: She's the deputy national security adviser for cyber and emerging technology at the White House, and she's working on an executive order slated for release in just a couple of weeks. Among other things, the order will create something like the National Transportation Safety Board. Think of a hack like a plane crash. Just as the NTSB inspects the wreckage to see if there needs to be a systematic fix, a cyber NTSB would paw through code and other evidence to do the same.

NEUBERGER: What can we learn with regard to how we get advanced warning of such incidents? What allowed it to be successful? Potentially, what allowed it to be broad, if it was? Which sectors were affected? Why?

TEMPLE-RASTON: And so do you think that the NTSB is a good metaphor for it?

NEUBERGER: We do.

TEMPLE-RASTON: Neuberger says we need a new strategy because we've become so connected. All of us are vulnerable to attack. But there still isn't a unified plan for how to respond. For example, when companies get hacked, a lot of them don't tell anyone. A way to fix that, Neuberger says, would be to require federal contractors to report any breach.

NEUBERGER: If you're doing business with the federal government, then when you have an incident, you must notify us quickly because we'd like to take that incident and ensure that the tactics, techniques and procedures, the information, is broadly shared.

TEMPLE-RASTON: Companies are supposed to report attacks to the Department of Homeland Security now, but because it isn't required, many don't. In next month's executive order, Neuberger said they'll set this as a goal, provide a timeline, and then establish a process to work out the details. Alex Stamos runs the Internet Observatory at Stanford University.

ALEX STAMOS: This is actually kind of a weakness in our overall cyber strategy as a country, is that nobody is really in charge of looking at the big picture.

TEMPLE-RASTON: He'd like the idea of a cyber NTSB and getting perspective on the threat.

STAMOS: You have the FBI, which is deeply involved in incident response, but they are there to enforce the law, right? It is not their job to come up with conclusions for the entire society. You have DHS CISA, the Cybersecurity Infrastructure Security Agency. Their job is to work on defense. So they're probably the closest of the agencies to this, but they don't have any investigative powers. And so we're in this weird position where it's really nobody's job in six months to tell us what happened.

TEMPLE-RASTON: What happened is that Russian hackers piggybacked on a SolarWind software update and then slipped right into Fortune 500 companies and government computer networks. Neuberger says that's a problem that needs to be addressed.

NEUBERGER: If you or I are going out to buy network management software, like SolarWinds, and we want to buy the software that is most secure, we have no way, Dina, of assessing which that is.

TEMPLE-RASTON: She suggests there's a way that the federal government can incentivize private companies to be safer. What if a government contract no longer went to the lowest bidder, but instead was awarded to a company that could document exactly how and where their software was built?

NEUBERGER: You know what? I'm willing to pay $5 more for the more secure software because I don't want to bring more risk into my network.

TEMPLE-RASTON: And they would need to say where their code was written and maintained. Kiersten Todt is the managing director of the Cyber Readiness Institute. She helped the Obama administration think through cyber issues, and she's been briefed on the new order.

KIERSTEN TODT: I think it's a first step. It's definitely not the Holy Grail. It's not a destination. It's the departure point.

TEMPLE-RASTON: But it's easier said than done.

TODT: The key is going to be in how each of these elements of the executive order are executed and really how government is going to bring industry in to perform the functions to really look pre-event, middle of event, post-event, and how we take those lessons learned and integrate them.

TEMPLE-RASTON: Todt thinks the government is going to have to work with companies to tell them what secure software looks like, and an executive order alone won't do that. And while you may never have heard of SolarWinds or been affected by that attack, we are all increasingly vulnerable.

NEUBERGER: You know, cyber threats loom large in a way that Americans feel.

TEMPLE-RASTON: Anne Neuberger again.

NEUBERGER: Can we trust our water, our power to be resilient? We see small companies being forced to pay a ransom to get their business back up and running. You know, we see school systems' networks down due to criminals. So those risks touch everyday Americans' lives, as well as at the national level.

TEMPLE-RASTON: The Biden administration has already leveled sanctions against Russia for the SolarWinds attack, and the White House has said there would be more seen and unseen responses to the breach. The unseen responses, like whether the Biden administration is preparing an attack in cyberspace, Neuberger declined to talk about directly. Dina Temple-Raston, NPR News. Transcript provided by NPR, Copyright NPR.