President Joe Biden is working on a draft executive order to require companies doing business with the federal government to report hacks within a few days. Homeland Security secretary Alejandro Mayorkas stated the order would also require the companies to use data encryption and two-factor authentication and would combat ransomware and improve protection for industrial control systems, transportation and election security. The SolarWinds hack has prompted the government to pay closer attention to cybersecurity.
Bloomberg reports that deputy national security advisor for cyber and emerging technology Anne Neuberger stated that, “the administration was consulting extensively with the private sector on the proposed executive order,” with the goal of “aggressive and achievable” cybersecurity improvements. “Many of the measures in the executive order will be long overdue and we look forward to sharing them with the American people soon,” she added.
The earlier Russia-originated SolarWinds hack, she said, breached “at least nine government agencies and 100 U.S. companies” before it was discovered by cybersecurity company FireEye, which disclosed it in December.
Today, companies are sometimes loath to share hacks with the government due to “a fear of reputational damage and non-disclosure agreements that prevent sharing the information.” With the executive order, timely report of a hack would go to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Software vendors would also be required to “secure their so-called build systems … by insuring they aren’t accessible to the Internet and that the identity of workers who access the code is protected by two-factor authentication.” Software companies would also have to provide the government a “software bill of materials” that reveals “the various pieces of code in a software product.”
Government agencies would also be required to encrypt the data they store to make it “unreadable by hackers.”
Elsewhere, Bloomberg reports that Mayorkas has identified the process to improving cybersecurity as “a series of 60-day sprints, each focused on the most important and most urgent priorities needed to achieve our goals.” “Our government got hacked last year, and we didn’t know about it for months,” he said. “This incident is one of many that underscores the need for the federal government to modernize cybersecurity defenses and deepen our partnerships.”
He wasn’t just referring to SolarWinds but to other incidents, such as Microsoft’s revelation in March that “Chinese hackers had exploited vulnerabilities in its email software, which cybersecurity experts say compromised tens of thousands of entities.” Mayorkas also pointed to a Florida water treatment plant that a hacker breached, “briefly boost[ing] the level of a toxic chemical.”
Mayorkas “also placed cybersecurity and the work of DHS’ CISA in the context of global democracy.” “Far too often cybersecurity is used as a pretext to infringe on civil liberties and human rights,” he said. “A free and secure cyberspace is possible and we will champion this vision with our words and our actions.” He added that the $650 million Congress earmarked for CISA is only a “down payment” on the work that needs to be done.