President Biden, on Wednesday, Ordered U.S. Agencies and Software Contractors that Supply them, to Boost their Defenses against Cyberattacks that Officials say pose a growing Threat to National Security and Public Safety.
The President Signed an Executive Order that establishes Baseline Cybersecurity Standards for U.S. Agencies and their Software Contractors, including Mandates to use Multi-Factor Authentication and Data Encryption, and that Requires Federal Information Technology Vendors to Disclose certain Data about Hacks.
The Order also establishes a Cybersecurity Safety Review Board, to be led by a Mix of Government and Private-Sector Cybersecurity Experts. The Board will be Empowered to Investigate Significant Cyber Intrusions and Publish Security Recommendations. The Board is modeled loosely on the National Transportation Safety Board (NTSB), which Investigates Airplane Crashes and other Transit Failures, Officials said.
The New Order is intended to Reorient the Federal Government’s approach to Cybersecurity around Prevention rather than Crisis Response, a Senior Administration Official said. It came as Colonial Pipeline Co. Restarted its 5,500-mile Conduit, a Major Source of Fuel throughout the East Coast, late Wednesday afternoon. The Pipeline was taken Offline, on Friday, in response to a Cyberattack of Rasumware.
The Order was written largely before that Hack was Disclosed and doesn’t Specifically Address Critical Infrastructure Cybersecurity, like the Energy Grid or Gas and Oil Pipelines.
For too long, the Government and the Private Sector have had a “laissez-faire attitude to cybersecurity,” the Senior Administration Official said. “The cost of the continuing status quo is simply unacceptable.”
Contractors that Fail to Comply with the Baseline Standards would essentially be Prohibited from Selling their Products to the Federal Government, a Black Mark that could be Crippling to a Company’s Commercial Viability as well.
In recent months, the U.S. has been Besieged by Three major hacks, each of which Exposed Critical Vulnerabilities in U.S. Cyberdefenses.
The SolarWinds Cyber Espionage Campaign, which the U.S. has Blamed on Russia, Hijacked the Software Supply Chain to iIfect at least Nine Federal Agencies and roughly a Hundred Private-Sector entities. The Hack, a key impetus for the Executive Order, was considered so Damaging to National Security it prompted the Biden Administration to Issue Sanctions and other Retaliatory Measures against Russia. Russia has Denied the Hack.
In March, an unusually Indiscriminate and far-reaching Hack of Microsoft Corp.’s Exchange Server Email Software was Identified that rendered Hundreds of Thousands of Small Businesses, Schools, and other Organizations, Vulnerable to Intrusion. That Hack has been Linked by Microsoft and some Security Researchers to Groups believed to be based in China. China denied involvement.
The Order, which runs more than 30 pages and includes Dozens of Specific Steps that Agencies need to Implement within several Months, is Designed in part, to address concerns that Software Vendors are a Weak Link of Cyberdefense that can be Compromised to Devastating effect. The SolarWinds Hack, for example, involved Corrupting a Software Update provided by the Austin, Texas-based Network-Management Company SolarWinds Inc. that enabled Hackers to Infiltrate Scores of its Customers’ Computer systems without Detection.
Biden has singled out Cybersecurity as a Top Security Issue facing the Country, and has vowed more Forceful Responses against Hackers who for years have purloined Secrets, Extorted from Businesses, and Destroyed Computer Systems, sometimes Costing Corporations Hundreds of Millions of dollars.
Among other Elements, the Order strives to Improve Information Sharing of Cyber Threat Data between Federal Agencies and creates New Requirements for Agencies to Log Cybersecurity Data that can be helpful in Identifying and Responding to Hacks. It also seeks to make the Government Modernize and more widely adopt Cloud Computing, while Creating Security Standards for Cloud Migration.
It will also Create a Pilot Program that would Label Software that meets Security Benchmarks with an “Energy Star,” which the Government and the Public broadly can use to Guide Purchasing Decisions. The Labeling Program is Inspired in part by New York City’s Food Cleanliness Labels for Restaurants, the Senior Administration Official said.
Industry Groups, including the Information Technology Industry Council (ITIC), some Lawmakers, and former Officials praised the Steps taken in the Order, but said More needed to be done.
“This executive order is a good first step, but executive orders can only go so far,” Sen. Mark Warner (D-VA), the Chairman of the Senate Intelligence Committee, said. Warner is among a Group of Lawmakers who have launched a New Push for National Data-Breach Notification Rules, and has said other Legislation is necessary as well.
NYC Wins When Everyone Can Vote! Michael H. Drucker
No comments:
Post a Comment