U.S. President Joe Biden has signed an executive order aimed at improving the nation’s cybersecurity and protecting federal government networks, and IT departments and the enterprise networks they’re charged with protecting could all benefit from adopting some of the concepts laid out in the order.
The order is in response to several recent devastating cyberattacks, including the Russian compromise of SolarWinds Orion, the Chinese hack of Microsoft Exchange Server and the ransomware attack that shut down the Colonial Pipeline.
It instructs the federal government to develop plans to implement IT concepts like Zero Trust and orders agencies to develop criteria for securing the software supply chain, establish a cybersecurity safety review board, modernizes cybersecurity standards, creates a playbook for incident response, improves network detection and improves investigative and remediation capabilities.
The order also aims to remove barriers to sharing information about threats between the government and private sector, which is frequently cited by cybersecurity experts when discussing the advantage that malicious actors have over the InfoSec community.
One of the reasons for the lack of information sharing on the good side is because IT providers are locked into contractual obligations or simply don’t want the world to know that they were a victim of a breach, which would have obvious implications in the media and to share prices.
The order seeks to remove contractual barriers and requires providers to share breach information with the U.S. government.
Biden’s order also requires agencies to adopt multi-factor authentication and encryption and move toward a Zero Trust architecture as agencies continue to migrate to the cloud.
For software sold to the government, the order mandates the creation of baseline security standards, including making security data public and maintaining greater visibility. This part of the order also creates a pilot program that will affix some kind of certification to software so the government and other users will know that the product is secure.
“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” reads a fact sheet on the order. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.”