The US Federal Govt. is looking at changes to up its cyber-security software game in the wake of the sprawling SolarWinds cyber-attacks that came to light in Dec., including requiring data-breach notifications.
The post-SolarWinds Executive Order (EO) could be issued as soon as next week, states a report.
President Joe Biden
In a draft executive order from President Joe Biden, software companies would be required to disclose any security issues to govt. users, according to a report from Reuters.
“The Federal Govt. needs to be able to investigate & remediate threats to the services it provides the American people early & quickly,” a spokeswoman for the National Security Council (NSC) told the outlet. Referring to the SolarWinds incident, she noted that, “Simply put, you can’t fix what you don’t know about.”
In that campaign, adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanised product updates. Sunburst was delivered to almost 18,000 organisations around the globe, starting last Mar., before being discovered in Dec.
With Sunburst embedded, the attackers were then able to pick & choose which organisations to further penetrate, in a massive cyber-espionage campaign that has hit 9 US Govt. agencies, tech companies like Microsoft & 100 others hard.
Software Bill of Materials
The other draft cyber-security orders in the EO, states Reuters, include requiring a “software bill of materials” for all packages in use across the govt., detailing the source of all code, including open-source & partner pieces. It would mandate the use of multifactor authentication & data encryption for federal agencies.
The order as it now stands would also require vendors to keep digital records & work with the FBI & the Cyber-Security & Infrastructure Security Agency (CISA) on incident response, according to the report.
Finally, the draft order would create a cyber-security incident-response board, which would have a mission of information-sharing. The board would bring together federal representatives & cyber-security researchers to host a forum for vendors; & it would offer both incentives & liability protections to encourage participation, according to Reuters.
The NSC spokeswoman said that the EO could be released as quickly as next week, but that final decisions on what exactly will go into it have yet to be made.