The U.S. federal government is mulling changes to up its cybersecurity software game in the wake of the sprawling SolarWinds cyberattacks that came to light in December, including requiring data-breach notifications.
In a draft executive order from President Joe Biden, software companies would be required to disclose any security issues to government users, according to a report from Reuters.
“The federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly,” a spokeswoman for the National Security Council told the outlet. Referring to the SolarWinds incident, she noted that, “Simply put, you can’t fix what you don’t know about.”
In that campaign, adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March, before being discovered in December. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a massive cyberespionage campaign that has hit nine U.S. government agencies, tech companies like Microsoft and 100 others hard.
The other draft cybersecurity orders in the EO, according to Reuters, include requiring a “software bill of materials” for all packages in use across the government, detailing the source of all code, including open-source and partner pieces. And, it would mandate the use of multifactor authentication and data encryption for federal agencies.
The order as it now stands would also require vendors to keep digital records and work with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on incident response, according to the report.
And finally, the draft order would create a cybersecurity incident-response board, which would have a mission of information-sharing. The board would bring together federal representatives and cybersecurity researchers to host a forum for vendors; and, it would offer both incentives and liability protections to encourage participation, according to Reuters.
The NSC spokeswoman said that the EO could be released as quickly as next week, but that final decisions on what exactly will go into it have yet to be made.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: