It also seeks to improve the government’s response to major cyber-attacks.
The order has been in the works for months but was released less than a week after a ransomware attack on
In a statement outlining the order, the White House stated that much of the U.S.’s critical infrastructure is owned and operated by the private sector, and it urged those companies to bolster their own cyber defenses.
“The Colonial Pipeline incident is a reminder that federal action alone is not enough,” according to White House statement. “We encourage private-sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
The executive order was crafted amid a heightened sense of angst over the U.S.’s apparent inability to deter criminal and nation-state hackers, after a series of devastating breaches that have claimed federal agencies, technology companies, hospitals and even a major police department as victims.
The order requires IT service providers with government contracts to share information about cyber-incidents with the U.S., an idea that has previously ran aground because of a reluctance to disclose hacks and contractual barriers, which the White House vowed to remove. The service providers will be required to share the information within specific time lines, a sliding scale based on the severity of the incident, according to a senior administration official, who was granted anonymity to discuss the order.
It also seeks to move the federal government toward more modern and safer computer networks, embracing secure cloud services, encryption and multifactor authentication within six months. The order pledges to improve the government’s ability to detect hackers in its networks and to keep logs of computer activity to ward off hacks and speed up detection after a breach.
The president’s order calls for new standards for the security of the software supply chain, which was compromised as part of the so-called SolarWinds attack last year. In that instance, Russian hackers installed a backdoor in software for Texas-based
The hackers ultimately infiltrated nine federal agencies and about 100 companies using the SolarWinds’s backdoor, in addition to other methods.
The senior administration official said the order only makes a down payment toward modernizing cyber defenses, and stressed that the White House wants to focus on building more secure software products for Americans. As such, software purchased by the federal government must meet the new standards within nine months, the official said. Other improvements in the federal government will be rolled out within six months.
“Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity,” according to the White House statement. “These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”
Earlier this year, China-linked hackers used a vulnerability in
But officials, speaking on condition of anonymity, said that if all the provisions in the order had been in place, it might not have prevented the attack on SolarWinds or the Colonial Pipeline.
“This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities,” according to Senator
Hackers stole almost 100 gigabytes of data from company networks in just two hours, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation. A ransomware group called DarkSide is suspected to be behind the attack.
(Updates with additional details, starting in the fourth paragraph.)
To contact the reporters on this story:
To contact the editors responsible for this story:
John Harney, Andrew Martin
© 2021 Bloomberg L.P. All rights reserved. Used with permission.