US President Joe Biden on Wednesday ordered the creation of an air accident-style cyber review board and the imposition of new software standards for government agencies following a spate of digital intrusions that have rattled the country.
The executive order’s initiatives include the creation of a organisation that would investigate major hacks along the lines of National Transportation Safety Board inquiries that are launched after plane crashes. They also include the imposition of new security standards for software bought by government agencies.
The order follows a digital extortion attempt against major fuel transport company Colonial Pipeline that triggering panic buying and fuel shortages in the south-eastern US.
Some recommendations were clearly aimed at avoiding a repeat of the hack of Texas software company SolarWinds, whose software was hijacked to break into government agencies and steal thousands of officials’ e-mails.
The software rules — which are due to be drawn up by the US National Institute of Standards and Technology — were among the most important parts of the order, said Kiersten Todt, the MD of the Cyber Readiness Institute, which is geared towards helping protect small and medium-sized businesses.
Damaging hacks
“It’s using the government’s buying power to improve the security of software,” Todt said, saying that if drafted correctly, the rules “will be a game changer in security”.
Other rules imposed by the order mandate the use of multi-factor authentication and the use of encryption both for stored data and communications.
The order follows an series of dramatic or damaging hacks against American interests. Beyond the digital ransom demand imposed on Colonial — which sources said the company did not intend to pay — and the SolarWinds-linked compromises, foreign hackers have also used vulnerabilities in software made by Microsoft and Ivanti to extract data from US government targets.
Senator Mark Warner, a Democrat who chairs the senate intelligence committee, said the executive order is a good first step but the US “is simply not prepared to fend off state-sponsored or criminal hackers intent on compromising our systems for profit or espionage”.
“Congress is going to have to step up and do more to address our cyber vulnerabilities,” he said. — Reported by Christopher Bing and Nandita Bose, with additional reporting by Raphael Satter and Steve Holland, (c) 2021 Reuters
