The Biden administration is putting the ultimate touches on an executive order aimed at helping the U.S. defend itself against major cyberattacks like the SolarWinds breach.
The order, which is still being develop, lays out a series of better requirements for companies that do business with the government. This initiative includes plans for more systematic investigations of cyber events and standards for software development. The goal is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector. So you should probably start preparing for this change.
“So essentially, federal government procurement allows us to say, ‘If you’re doing business with the federal government, here’s a set of things you need to comply with in order to do business with us,'” Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House, told NPR in an exclusive interview.
Biden administration response to SolarWinds attack
She explains that the executive order will “set the goal, give it a timeline and then establish the process to work out the details” on a handful of cybersecurity initiatives, from setting up new ways to investigate cyberattacks to developing standards for software.
The effort is all part of the administration’s response to the recent cyberattack on SolarWinds. Hackers linked to Russian intelligence compromised one of the company’s routine software updates and used that access to break into about 100 top U.S. companies and several government agencies. The hackers roamed around the networks for 9 months before they were finally discovered.
“We did a detailed study of SolarWinds and it showed that we have major work to do to modernize our cybersecurity … to reduce the risk of this happening again,” Neuberger said. “And the upcoming executive order is a big part of that.”
Neuberger said federal contractors will be required to be more open about attacks. “If you’re doing business with the federal government, then when you have an incident, you must notify us quickly,” she said. “Because we’d like to take that incident and ensure that the tactics, techniques and procedures, the information is broadly shared,” she said. Then other companies, presumably, would follow their lead.
The Biden administration has already leveled sanctions against Russia for the SolarWinds attack. And the White House has said there would be more “seen” and “unseen” responses to the breach.
A senior Department of Homeland Security official told reporters during a phone call in March that the department is continuing “to work urgently to make the investments necessary, and the administration is working on close to a dozen actions for an upcoming executive order.”
Additionally, the administration last week kicked off a 100-day plan aimed at protecting the nation’s power grid against cyberattacks.