In the wake of the recent SolarWinds hack, a vendor compromise that infected tightly protected government agencies, the Biden administration is reported to be planning a new cybersecurity executive order as early this week. While a National Security Council spokeswoman said no decision has been made on the final content of the executive order, among the measures being reported is a new requirement that any vendors working with federal government agencies must report any suspected breaches to those agencies.
While there have been multiple previous attempts to establish breach notification laws through congress, industry resistance has previously been successful in halting the bills from passing. But now, following the two, massive hacks of SolarWinds and Microsoft over the past few months, there may not be much vendors can do to stop it this time.
Along with the breach notification requirement, the planned cybersecurity executive order is reported to contain a series of additional security requirements for software and programs used by federal agencies. This may include requiring federal agencies to take small, but essential security measures such as the use multi-factor authentication and data encryption.
Overall, the executive order appears to create broader levels of transparency and communication between software vendors and government agencies regarding cybersecurity. For example, since many pieces of software now link directly to other programs and services, the order is reported to also require a “software bill of materials” that lays out what the software contains and what other services it connects to. According to Reuters, the order may also create a cybersecurity incident response board, encouraging communication between government agencies, vendors, and victims.
If Biden signs the executive order, this may be a the first step towards a more robust and efficient response to the increasing cyber threats government agencies are facing. According to Reuters, this may also open the door towards broader public disclosure legislation. By being transparent and openly sharing information, both government agencies and private organization will benefit by helping to identify and mitigate threats more quickly and effectively.