Dating back to SolarWinds — the fallout to which started a few months before his administration — and continuing through the Microsoft Exchange hacking and the Colonial Pipeline shutdown, the Biden administration has been beset with wall to wall cybersecurity crises. Today, President Joe Biden signed an executive order to fight back.
The long-awaited executive order has been in the works since the first weeks of the presidency.
"Today's executive order makes a down payment towards modernizing our cyber defenses and safeguarding many of the services, on which we rely," a senior administration official told reporters.
The executive order operates within the federal government and uses some of its buying power to influence broader private sector practices. Regarding the government, it encourages federal systems to invest in secure cloud services, detection and zero-trust architecture, and mandates multifactor authentication, logging, and encryption. The order creates a standard playbook for agencies to respond to breaches.
The order intersects with the private sector by extending requirements to federal suppliers, including notifying the government of breaches that could impact national security and setting minimum security standards for software sold to the government. It also creates a public/private review board to deconstruct and learn from major cyber incidents the way the National Transportation Review Board investigates plane crashes. The review board would be chaired by private sector representatives to show the administrations' intent to work with and not against industry.
Congress is currently mulling a similar requirement for all companies, not just ones with federal clients, to notify government of breaches that could impact national security. The administration official told reporters the executive order gives the Hill "opportunity to say which of these [ideas] should be applied more broadly."
The order also sets in motion standardized labeling for internet-connected products to allow for quick comparison of security features.
"Today, for example, parents looking at two different video baby monitors have no way of knowing which is built more securely. This program will change that giving the consumer insight while simultaneously rewarding the company that makes them more secure monitor with recognition in the market," the administration official told reporters.
The administration will explore ways to incentivize adoption of the labels.
"Software security has to be a basic design consideration," said the official. "We'd never buy a family minivan knowing it could have potentially fatal defects, with the expectation of recalls, or decide whether you want to install and pay for seatbelts and airbags afterwards."