A new executive order from
Although the order focuses on reporting requirements for government contractors, it could trickle down to business-to-business information sharing, said Paul Ferrillo, a privacy and cybersecurity partner at Seyfarth Shaw LLP in New York.
“It could compel companies to share information about hacks or vulnerabilities even if they’re not legally required to do so,” Ferrillo said. “The order will help reinforce the fact that the sharing of information helps the company, the industry, and the country.”
The order, unveiled Wednesday evening, also seeks to bolster resiliency in the software supply chain and boosts security requirements for government computer networks.
It comes less than a week after a massive ransomware hit against Colonial Pipeline Co., and less than six months after a far-reaching supply chain attack against SolarWinds Corp. that affected private companies and federal agencies alike was publicly revealed.
Companies are often reticent to share attack information and may not disclose hacks if there’s no legal or regulatory requirement to do so, said Dhruv Sharma, a commercial litigation attorney at McGlinchey Stafford PLLC’s Irvine, Calif., office.
“Businesses don’t want bad publicity in the media or scrutiny from lawmakers,” Sharma said. “Especially if the hack could’ve been prevented, it creates a bad image for the company moving forward.”
They may also fear regulation violations or penalties that could arise from disclosing attacks, he said.
That reticence to information sharing, however, is beginning to dissipate, said Curtis Simpson, the chief information security officer at Armis Security.
“Folks are coming to realize these attacks happen to everyone,” Simpson said. “You’ve seen mindsets shift and people are seeing the benefits of engaging law enforcement and others.”
Ferrillo said a company’s breach disclosure, to the government or to other businesses operating in the sector, shouldn’t be viewed so negatively. If a company refuses to disclose information about its weaknesses and an attack spreads to other entities, it’s likely to be lambasted by regulators and the public for keeping quiet, he said.
By sharing intelligence about an attack or a bad actor, businesses can engender goodwill among other companies, who in turn may be more willing to share information in the event that they’re breached.
“It gives others in the sector some time to protect their information and themselves,” Ferrillo said. “If you don’t share, people might hold that against you.”
Supply Chain Security
The executive order also compels the National Institute of Standards and Technology to publish guidelines for enhancing software supply chain security.
Those standards will prove critical for software developers and may help prevent the “ripple” of cyberattacks throughout the supply chain going forward, said Linn Freedman, a Providence, R.I.-based partner at Robinson & Cole LLP.
Placing NIST at the center of that guideline recommendation is a good idea since the agency has a good track record of working with industry, academics, and cybersecurity experts to develop frameworks, said Aaron Cooper, vice president of global policy at the trade group BSA | The Software Alliance.
“The best practices that come out of that process hopefully will be helpful beyond U.S. government procurement, and also help inform the way companies operate and behave,” Cooper said.
It’s a significant but long overdue step that the executive order also requires multifactor authentication and encryption across the federal government, Freedman said.
That measure, coupled with the new reporting requirements and security upgrades outlined in the order, will enable the government to be “less flat-footed” in dealing with future attacks, she said.
“These attacks are a wake-up call for the federal government that it needs to have a better vendor management program,” Freedman said. “Now the government has the clout and the leverage to say, ‘If you want to do business with us, you need to change.’”