The Biden White House is getting set to issue a last-minute order regarding cybersecurity regulations.
Military news publication Stars and Stripes cited a Bloomberg News article referring to sources familiar in reporting that the administration is seeking an order that would mandate strong encryption and authentication protocols across channels in use by government agencies.
The information cited in the report is ambiguous, to say the least, but it is said to cover not only federal agencies but the third-party contractors that work with them.
“In some instances, providers of software to the federal government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the government at risk of compromise,” wrote Bloomberg citing the draft report.
The report noted the recent revelation from the U.S. Department of the Treasury that a Chinese-based company will face sanctions over their involvement with a Chinese threat actor.
In that case, it was found that service provider Integrity Technology Group was holding up the back end for a number of state-sponsored hacking operations in China. Most notably, the company was found to be the infrastructure provider for the Flax Typhoon hacking crew.
The Treasury Department measure forbids U.S. organizations from doing business with Integrity Tech or otherwise supporting the China-based company.
The proposed Biden measure would apparently go a step further and aim to prevent attacks such as Flax Typhoon by mandating both government organizations and private contractors to implement best practices regarding user training and encryption protocols.
While a Biden mandate would help to push best practices, studies show that the adoption of encryption tools and user training is already growing within most organizations. In reality, such an order would only mandate doing the bare minimum.
Studies from the CyberRisk Alliance showed that the overwhelming majority of organizations are already or are planning to implement user training as part of their cybersecurity road map.
Such measures are seen as an essential piece of a sound cybersecurity plan and, should a company seek incident insurance coverage, will be mandatory in order to obtain approval for a policy.
