The Biden administration has taken a significant step towards strengthening America's digital defenses by announcing a new executive order on cybersecurity. This order imposes strict standards on companies selling products to the U.S. government, aiming to mitigate the increasing threats of cyberattacks. Key components of the order include enhanced disclosure requirements from software providers and the establishment of a "U.S. Cyber Trust Mark" label for secure products, effective from 2027. The move comes in response to recent high-profile breaches, including the 2020 SolarWinds attack and the 2023 email account intrusions by Chinese hackers targeting U.S. government officials.
Under the new directive, any company wishing to do business with the federal government must adhere to rigorous security practices. These practices will not only apply to software sellers but also extend to cloud service providers, who are now required to furnish clients with detailed guidance on maintaining security. The General Services Administration will play a crucial role in shaping these policies, ensuring robust protection standards are met.
Furthermore, the National Institute for Standards and Technology (NIST) will issue guidelines to manage software updates securely. Companies must demonstrate secure development practices before they can sell software to the government. This initiative is aimed at fortifying America's digital infrastructure against frequent cyber threats.
The executive order intends to provide transparency and assurance to consumers, allowing them to evaluate internet-connected devices through the U.S. Cyber Trust Mark label. While this is a forward-thinking approach, there remains uncertainty about whether these measures will be upheld by the incoming Trump administration. Notably, Biden's cybersecurity team has not yet engaged with their successors.
"We haven't discussed, but we are very happy to, as soon as the incoming cyber team is named, of course, have any discussions during this final transition period," – Neuberger
Despite these challenges, the Biden administration emphasizes the necessity of this order in light of recent cyber incidents, such as the compromise of Microsoft's systems via SolarWinds’ Orion software updates in 2020 and subsequent breaches in 2023. These events underscore the vulnerability of federal systems and highlight the urgent need for enhanced security protocols.
"evidence that we post on a government website for all software users to benefit from," – Neuberger
The executive order's requirements will be documented on a public platform, enabling widespread access to security resources for all software users. This transparency aims to foster a culture of shared responsibility in cybersecurity across various sectors.