After 2020’s massive SolarWinds fiasco, the US government is planning an executive order to dissolve industry resistance to crisis cooperation.
The Biden administration has announced a plan to issue an executive order that compels software vendors to keep the US government informed on any corporate customers they serve suffer any cybersecurity breach.
Probably precipitated by the massive SolarWinds breach late last year, the executive order, if it comes to fruition this week, is a signal that federal governments are getting wary and weary about delays in breach disclosures.
The nationwide mandate also includes measures multi-factor authentication and encryption of data inside federal agencies; a ‘software bill of materials’ that spells out what comprises the code in critical software; and the overarching power to overrule non-disclosure agreements that have previously led to restricted information sharing in crises.
What experts think
According to one security strategist, Tim Mackey of Synopsys Software Integrity Group, the proposed order outlines several steps in the right direction in the battle against cybercrime.
- First, it recognizes that there is no possible way to patch something you don’t know you’re exposed to. This is critical when you recognize that the days of software being created exclusively within the proverbial four walls of a commercial software vendor are long gone.
- The majority of the code in commercial applications has its roots back to open source efforts. That is why having a software bill of materials is a critical asset in any cyber-defender’s toolkit: the weakness being exploited may be in the DNA of the software and the vendor may not be aware of the risk, which is where greater communication and transparency as outlined in the proposed order becomes valuable.
“Attackers control the rules of their attacks, and their success is directly related to their ability to execute their playbook against multiple targets. When successful attack patterns are kept secret, this enables an attacker to replay their attacks with confidence that they’ve a wide window of opportunity,” Mackey added.
Another expert had noted that the US congress had tried to establish a national data breach notification law without success due to vigorous industry resistance. If the current plan succeeds, the broad disclosure goal could pave the way for a new law on public disclosure in future.
Other expert sources had suggested that a cybersecurity incident-response board could be in the pipeline if the order materializes. This could facilitate sharing of critical information between the authorities and cybersecurity firms, fueled by a mix of incentives and liability protections.