A new executive order, issued days after ransomware shut a major U.S. pipeline, aims to change how companies manage and report cybersecurity incidents, give consumers better ways to evaluate the security of products and services, and create a standard playbook for federal responses to breaches and attacks.
“We routinely install software with significant vulnerabilities to some of our most critical systems and infrastructure,…systems that are used to deliver our power and our water to help manage traffic,” a senior Biden administration official told reporters during a call on Wednesday. “Continuing status quo is simply unacceptable.”
The order will likely force businesses to change how they communicate to the government and the public about their cybersecurity postures.
The order also invalidates contractual obligations that can make IT providers hesitant to share information about network breaches with the government, according to a fact sheet sent out by the National Security Council.
It adds new standards for government purchases of federal software and IT services.
“We identified a small set of high impact, cyber defenses that, when implemented, make it harder for an adversary to compromise and operate on the hacks network, tools like multi-factor authentication, encryption, endpoint detection [and] response, logging and operating in a zero trust environment,” said the official. Those changes will be rolled out in the next six months.
The official said that such moves would have helped to prevent the SolarWinds incident that has affected multiple government agencies including the Department of Justice, the Department of Homeland Security, and portions of the Defense Department.
The Biden administration hopes that the new federal requirements, will influence how IT providers make products and services available to the public.
“We use federal buying power to jumpstart the market for secure software,” said the official.
The order also establishes a new incident review board, modeled after the National Transportation Safety Board, that will have a private sector co-chair to quickly review major cyber incidents and make recommendations on what to do about them. And it puts in place a standard playbook for responding to major cyber incidents.
Perhaps its most important feature, it will establish a new rating system to allow the public to judge the security of products and services that they’re buying, similar to the Department of Energy’s Energy Star rating system. That could affect the way consumers buy internet-enabled products and services. For instance, a shopper arbitrating between two baby monitors would be able to immediately see which one had the higher rating.
“We’re working to bring visibility to the security software, akin to the way New York brought visibility to cleanliness in New York City restaurants by requiring restaurants to post simple weightings, like ABC or D regarding their cleanliness, in their windows,” said the official.