UPDATE 04:23 pm Pacific Time, May 12: On Wednesday, President Joe Biden signed an Executive Order that broadly directs the Commerce Department to create cybersecurity standards for companies that sell software to the federal government. The Order comes in the immediate aftermath of a ransomware attack on Colonial Pipeline, an East Coast gasoline supplier that, also on Wednesday, restarted operations after the company came to a standstill last Friday.
Original story below:
The ransomware attack on Colonial Pipeline last week caused the White House to hold emergency meetings to possibly strengthen a planned Executive Order on cybersecurity that could be released in the coming days or weeks, the New York Times reported.
The Executive Order—currently a draft—could place new restrictions on businesses that develop software and sell it to the federal government, such as the requirements to use multi-factor authentication and to access federal databases only when completely necessary. Such a strategy seemed like an appropriate response several months ago, when cybercriminals believed to be working with the Russian government infiltrated nine federal agencies by first hacking into the IT management company SolarWinds.
But the recent attack on Colonial Pipeline reveals that new rules meant only for federal contractors could still leave broad swaths of the American public at risk. Complicating the issue is that, while President Joe Biden has taken a harder stance against Russian cyberaggression than the past administration, the attack on Colonial Pipeline has no confirmed connection to the Russian government.
"I'm going to be meeting with President Putin, and so far there is no evidence based on, from our intelligence people, that Russia is involved, although there's evidence that the actors' ransomware is in Russia," Biden said this week.
According to multiple reports of the planned Executive Order, companies that sell their products to the government could have to implement several new cybersecurity measures.
Such companies would have to use multi-factor authentication and they would have to encrypt data that belongs to federal government clients. The government would also begin using a “zero-trust” model with these contractors, meaning that such contractors would only gain access to federal systems on a “need-to-know” basis. Further, contractors would also have to notify government customers of any cyberbreach, bringing new transparency to the government about ongoing and increasingly frequent cybercrimes.
In speaking with Reuters, a spokeswoman for the National Security Council explained the importance of such a requirement, noting that the SolarWinds attack showed that “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly.”
She continued: “Simply put, you can’t fix what you don’t know about.”
According to The New York Times, companies that violate these rules would have their products banned from being sold to the federal government. For many companies that count the federal government as their largest client, such a ban could serve as a revenue death knell.
Finally, the Executive Order could create a “cybersecurity incident review board” to investigate major cyberattacks in the US, and the Order could ask victims of cyberattacks to work with the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency when responding to attacks.