While every president since George W. Bush has issued new guidelines to bolster the nation’s digital defenses, Biden’s order is intended to reach deeply into the private sector. And it is much more detailed than previous efforts.
For the first time, the United States will require that all software purchased by the federal government comply, within six months, with a series of new cybersecurity standards. Although companies would have to “self-certify,” violators would be removed from federal procurement lists, potentially ending their ability to sell their products on the commercial market.
The order also establishes an incident review board, as do teams investigating airline accidents, to learn lessons from major piracy episodes. The White House demands that the first incident under review be the SolarWinds hack, in which Russia’s main intelligence agency altered the computer code of a US company’s network management software. It gave Russia wide access to 18,000 agencies, organizations and companies, mainly in the United States.
The new order also requires all federal agencies to encrypt the data, whether it is in storage or while it is being transmitted – two very different challenges. When China stole 21.5 million files on federal employees and contractors who had security clearances, none of the files were encrypted, meaning they could be easily read. (The Chinese hackers, the researchers later concluded, encrypted the files themselves, to avoid detection while sending the confidential records to Beijing.)
Previous efforts to enforce minimum standards in software have failed to pass in Congress, especially in a major showdown nine years ago. Small businesses have said that changes are not affordable and larger ones have opposed an intrusive role for the federal government within their systems.
