The Executive Order that will Require Software Vendors to Notify Government of Cybersecurity Breaches

The Biden administration is planning to issue an executive order that will require many software vendors to provide notification when they experience a data breach, according to a recent draft. Reuters reported on March 25, 2021 that the order will affect companies whose customers include agencies of the federal government. The administration could issue the order as early as March 31, although a spokeswoman from the National Security Council (NSC) said that its contents haven’t been finalized yet.

The order is largely the result of high-profile breaches like the ones caused by the SolarWinds hack that was reported in December 2020. The hackers in that case are suspected of infiltrating SolarWinds’s network management software on behalf of the Russian government by adding code that allowed them spy on the software’s end users. That attack affected nine federal agencies and compromised data for 100 companies, including major tech firms like Microsoft.

 

Measures

The NSC spokeswoman stated that the purpose of the executive order is to enable the prompt investigation and remediation of threats to the services that the federal government provides for the American people. She added that the government can’t fix what it doesn’t know about.

Security experts have long sought the measures specified in the proposed order, which include the use of encrypted data and multi-factor authentication (MFA) within federal agencies. The order will also impose additional rules on critical software like providing a software bill of materials, which would specify the software’s contents. This measure is necessary because software is increasingly likely to activate other programs, which greatly increases the risks posed by the originating software.

 

Impact

The measure with the greatest immediate impact on software developers will be the notification requirement. This clause will override the non-disclosure agreements that software vendors often have with other parties, which has limited the sharing of information on data breaches in the past. Analysts will be better able to develop defenses against malware, especially those that attack multiple targets at the same time. The order will also require vendors to keep more detailed records on breaches and work more closely with government agencies like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) when they investigate security incidents.

Implementing the executive order will require the federal government to make a series of updates to the rules on federal acquisition. Companies that provide software to the government on a large scale will experience the greatest effect from these changes, including Microsoft and SalesForce. Congress has previously tried to pass laws requiring data breach notification, but industry lobbyists have defeated these efforts. However, those bills would have required companies to publicly report breaches through government agencies.

 

Implications

The current draft of the executive order will at least partially achieve its goal of disclosure, especially if it results in the passage of a law that requires it. The order will also create a board with members from federal agencies and industry experts that would investigate cybersecurity incidents. A combination of protections and incentives will encourage victims and vendors to share information on incidents.

 

Cybersecurity green flickr photo by Infosec Images shared under a Creative Commons (BY) license