President Joe Biden signed an executive order on Wednesday in an attempt to bolster US cybersecurity defenses after a number of devastating hacks, including the Colonial pipeline attack, revealed vulnerabilities across business and government.
“Recent cybersecurity incidents… are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” the White House said.
Under the order, federal agencies will be required to introduce multi-factor authentication to their systems and encrypt all data within six months in a bid to make it harder for hackers to penetrate their IT infrastructure.
The order also requires IT providers that contract with the government to meet higher security requirements and report to them if their systems have been breached. There would be strict timelines for disclosure on a sliding scale based on the severity of the incident, a senior administration official said.
A pilot of a new star rating system for software sold to the government will also be launched, so that the officials and the public can judge how secure it is.
The measures come in the wake of the SolarWinds hack, in which Russian hackers hijacked American-made software to conduct espionage campaigns that targeted dozens of businesses, plus agencies including the US commerce and Treasury departments.
Earlier this year, it emerged that Chinese state-backed hackers had also been conducting stealthy attacks on multiple targets by exploiting recently disclosed vulnerabilities in Microsoft software.
The order also comes after a ransomware attack by a group of cyber criminals crippled a key East Coast pipeline run by Colonial on May 7, causing a run on petrol and fuel shortages. The 5,500-mile pipeline system resumed operations on Wednesday.
“These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents,” the White House said.
In an effort to streamline government cyber defenses, the order seeks to introduce a “playbook” for how government agencies should respond to incidents, and improvements in logging and information-sharing following breaches.
It also sets up a private-public sector board, to be named the Cybersecurity Safety Review Board, tasked with analyzing large cyber incidents after they have occurred and making recommendations to prevent them happening again.
The board, which is modeled on the National Transportation Safety Board that investigates airplane and train crashes, would first be tasked with reviewing the SolarWinds hack, the senior administrative official said.