While every president since George W. Bush has issued new guidelines to bolster the country’s digital defenses, Mr. Biden’s order is intended to reach deep into the private sector. And it is far more detailed than past efforts.
For the first time, the United States will require all software purchased by the federal government to meet, within six months, a series of new cybersecurity standards. Although the companies would have to “self-certify,” violators would be removed from federal procurement lists, which could kill their chances of selling their products on the commercial market.
The order also establishes an incident review board, much like the teams that investigate airline accidents, to learn lessons from major hacking episodes. The White House is mandating that the first incident under review will be the SolarWinds hack, in which Russia’s premier intelligence agency altered the computer code of an American company’s network management software. It gave Russia broad access to 18,000 agencies, organizations and companies, mostly in the United States.
The new order also requires all federal agencies to encrypt data, whether it is in storage or while it is being transmitted — two very different challenges. When China stole 21.5 million files about federal employees and contractors holding security clearances, none of the files were encrypted, meaning they could be easily read. (Chinese hackers, investigators later concluded, encrypted the files themselves — to avoid being detected as they sent the sensitive records back to Beijing.)
Previous efforts to mandate minimum standards on software have failed to get through Congress, notably in a major showdown nine years ago. Small businesses have said the changes are not affordable, and larger ones have opposed an intrusive role of the federal government inside their systems.
Article source: https://www.nytimes.com/2021/05/12/us/politics/biden-cybersecurity-executive-order.html