Biden to Expand National Security Agency Role in Government Cybersecurity

It effectively aligns the cybersecurity standards imposed on national security agencies with those previously established for civilian agencies under an executive order Mr. Biden signed last May. Affected agencies will soon be expected to implement various cybersecurity protocols, including use of certain cloud technologies and software that can detect security problems on a network.

Cybersecurity failures have plagued the U.S. government for decades, including thefts of detailed personnel records and military secrets that have been blamed on Russia, China and other adversaries. While national security agencies are generally seen as more secure than their civilian counterparts, they have endured significant breaches, too.

The new 17-page order authorizes the National Security Agency, the government’s leading digital surveillance organization, to issue what are known as binding operational directives, which require operators of national security systems to undertake efforts to guard against known or potential cybersecurity threats. The NSA has long had both offensive and defensive missions, but it has sought to expand its cybersecurity mission in the years following the leaks of classified surveillance information by former intelligence contractor Edward Snowden.

The Department of Homeland Security already has the power to issue binding operational directives that apply to civilian government networks, and most recently used the authority in December to order agencies to immediately mitigate the widespread Log4J cyber flaw. Binding operational directives could require agencies to install certain patches immediately, take some systems offline or uninstall software viewed as potentially dangerous, as the Trump administration did with Kaspersky Lab antivirus software in 2017.

Additionally, Wednesday’s memorandum requires agencies to identify their national security systems and report to the NSA cyber incidents that involve them. A fact sheet shared by the White House said this reporting would help the government identify and mitigate cyber risk across all national security systems.

The new rules also will require defense and intelligence agencies to better secure tools used to share data between classified and unclassified systems, in recognition that nation-state adversaries often seek to identify weaknesses in those tools to access highly sensitive national security information. Mr. Biden’s memorandum requires agencies to inventory so-called cross-domain solutions and places the NSA in charge of creating new security standards and testing requirements for such tools.

The actions to grant NSA a broader cybersecurity remit follows years of efforts by the spy agency to rehabilitate its image. That suffered after leaks by Mr. Snowden, which exposed highly classified domestic and global surveillance activities. Mr. Biden has filled three of the most important cybersecurity roles in his administration with NSA veterans, including

Anne Neuberger

as deputy national security adviser for cyber and emerging technology.

Mr. Biden and his national security team have repeatedly identified cybersecurity threats as a top national and economic security threat to the U.S. The Biden administration has warned critical infrastructure operators and some businesses in recent weeks to be on guard against Russian cyberattacks that could be spillover from tensions between Moscow and Kyiv.

Wednesday’s directive follows several organizational changes at the White House, State Department and elsewhere to elevate the issue and a push to place cybersecurity mandates on some private industries, including pipelines and trains, after several presidential administrations of both parties largely relied on voluntary industry standards.

Write to Dustin Volz at [email protected]