WASHINGTON – President Joe Biden signed a sweeping executive order designed to enhance cyber security in the wake of a series of attacks on American companies that have highlighted the vulnerabilities of data and critical infrastructure.
The executive order establishes standards similar to air safety standards, turning a thus far “laissez faire attitude” into a pre-emptive approach with industrywide standards and the establishment of a Cybersecurity Safety Review Board co-chaired by government and the private sector.
A safety labelling system may be introduced – much as New York restaurants now have safety labels in the context of the coronavirus pandemic.
“Singapore has built a cybersecurity labelling initiative for Internet-connected devices; that’s a great starting point for the United States,” a senior administration official told reporters.
“We simply cannot wait for the next incident to happen to be the status quo under which we operate,” the official said. “The cost of a continuing status quo is simply unacceptable.”
The executive order reflects a “fundamental shift in our mindset, from incident response to prevention”, the official said.
This came as many gas stations up and down the east coast ran out of gasoline on panic buying following the shutdown last Friday after a cyber attack of Colonial Pipeline, the company that carries almost half of all fuel used on the east coast.
On Wednesday, the company announced a gradual return to operations.
The restart took place at 5pm local time (5am Singapore time) but it would take “several days” for product delivery to return to normal, the company said. “Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.”
The White House in a statement said: “Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.
“These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”
Much of US domestic critical infrastructure is owned and operated by the private sector, where companies make their own determinations on cybersecurity investments.
“We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments,” the statement said.
Specifically, the executive order removes barriers to threat information sharing between the private sector and the government; companies including IT service providers will be required to share information on certain types of breaches.
The principle is a “zero-trust security model”, the senior official said.
The order mandates deployment of multifactor authentication and encryption. It also improves supply chain security by establishing baseline security standards for development of software sold to the government, and requires developers to maintain greater visibility into their software and make security data publicly available.