Biden signs executive order to beef up cybersecurity in US
The Biden administration has launched a range of measures to improve national cybersecurity, including establishing a joint public-private panel to review incidents, in an executive order signed yesterday.
The US government has faced a string of damaging attacks by hackers exploiting weaknesses in private sector providers of essential services. On Wednesday, the fuel company Colonial Pipeline resumed operations after a ransomware attack prompted a five-day closure of the main part of its network.
In a press briefing on the executive order, a senior administration official pointed to the recent attacks. These incidents had two things in common, the official noted. The first is a “laissez-faire attitude towards cybersecurity” that focuses on response rather than prevention.
The second factor is “poor software security”, the official said, which means the government “routinely installs software with significant vulnerabilities into some of our most critical systems and infrastructure.”
The order aims to shift the government’s approach from incidence response to prevention. It includes deadlines for federal agencies to improve cybersecurity practices and working with the private sector to improve software security and information-sharing.
Cross-sector collaboration
“Too often organisations repeat the mistakes of the past and do not learn lessons from significant cyber incidents,” a statement on the White House website said.
To address this, a Cybersecurity Safety Review Board will be established by the Department for Homeland Security (DHS). It will “convene following a significant cyber incident to analyse what happened and make concrete recommendations for improving cybersecurity”, according to a White House briefing.
Leadership of the board will be split between the public and private sector. The panel will be co-chaired by the secretary of the DHS and a leader from the private sector, who officials expect will be picked “based on the specific incident that occurs”. It will also include the Department of Defense, the National Security Agency, and the Department of Justice.
The board will be modelled on the National Transportation Safety Board, which investigates civil aviation and other accidents and recommends future prevention measures.
Serious about security
Elsewhere, the executive order includes provisions designed to toughen up security among public and private sector organisations alike.
Part of the focus is on improving security practices in government. For example, federal agencies have 180 days to adopt multi-factor authentication and data encryption.
A new “playbook” will also be established to support agencies’ response to cyberattacks. “Recent incidents have shown that within the government the maturity level of response plans vary widely,” the White House Statement said. “The playbook will ensure all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat.”
Meanwhile, the private sector will be enabled — and required — to share more information with government. “IT providers are often hesitant or unable to voluntarily share information about a compromise… removing any contractual barriers and requiring providers to share breach information that could impact government networks is necessary to enable more effective defenses,” the statement added.
New “baseline security standards” will also be established for software being sold to the government. In nine months all software purchased must meet those standards, the official said.
“We’d never buy a family minivan knowing it could have potentially fatal defects, with the expectation of recalls, or decide whether you want to install and pay for seatbelts or airbags afterwards,” the spokesperson said.
About Josh Lowe
Related Posts
