Many software vendors would have to notify their US government customers when the companies suffer a cyber security breach, according to an executive order reportedly being considered by President Joe Biden.
The proposed rule would over-ride non-disclosure agreements, which software companies say limit information sharing, and allow officials to view more intrusions, Reuters reported.
The order would also compel vendors to preserve more digital records and work with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) when responding to incidents.
The draft order would adopt measures long sought by security experts, including requiring multi-factor authentication and encryption of data inside government agencies, according to the news agency.
The order would impose additional rules on programs deemed critical, such as requiring a “software bill of materials” which details what is inside. An increasing amount of software activates other programs, expanding the risk of hidden vulnerabilities.
The draft measures also envisage creation of a cyber security incident response board to encourage vendors and victims to share information.
A National Security Council spokesperson said no decision has yet been made on the order’s final content.
But she also referenced the SolarWinds hack late last year when cyber-attackers, suspected of being linked to Russia, breached IT group SolarWinds’ defences and compromised the data of many government agencies and businesses.
That incident showed “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about,” the spokeswoman said.
Register for free to receive the latest data protection and privacy news and analysis straight to your inbox
No comments yet