President Biden has issued a long-awaited executive order (EO) designed to improve supply chain security, incident detection and response and overall resilience to threats.
Although every President in recent years has issued an order to improve the nation’s cybersecurity, experts believe this one is more detailed and has a better chance of success than previous efforts. It also comes amidst unprecedented attacks on US government and critical infrastructure, in the form of the SolarWinds, Exchange Server and Colonial Pipeline attacks, to name just a few.
Among the key measures is a requirement for all federal government software suppliers to meet strict rules on cybersecurity or risk being blacklisted. Eventually, the plan is to create an “energy star” label so both government and public buyers can quickly and easily see whether software was developed securely.
Other measures include an “aircrash investigation-style” Cybersecurity Safety Review Board, which will make recommendations for improvements after any major incident, and a standardized playbook for government incident response.
The EO will also mandate a drive to secure cloud services and zero trust, including multi-factor authentication and data encryption at rest and in transit, by default.
There are also provisions for government-wide endpoint detection and response (EDR), improved information sharing within government and between public and private sectors, and event logging requirements for federal government departments to enhance investigation and remediation.
The executive order has been welcomed by security experts.
Brian Fox, CTO and founder of Sonatype, argued that it will require suppliers and software companies in general to be more accountable for what’s in their code.
“While it shouldn’t have taken government intervention for businesses to practice proper software hygiene, Biden is harnessing the purchasing power of the federal government to advance software security — and this is something all nations would benefit from emulating,” he added.
Andrew Rubin, CEO of Illumio, praised the focus on best practice zero trust models for securing distributed computing environments.
“The Biden administration has unfurled a sweeping Executive Order finally acknowledging the failings of an outdated federal cybersecurity model, and laying bare the first iteration of a new security design — founded in zero trust,” he argued.
“Cyber complacency isn’t just an American problem, or a federal problem, or a policy problem – it's a global problem. That’s why I welcome this executive order with open arms. It’s a call to action to the world that we need to change the way we protect ourselves. And with this new executive order — this new zero trust blueprint — we’re on the path to a more secure future.”