It also seeks to improve the government’s response to major cyber-attacks.
The order has been in the works for months but was released less than a week after a ransomware attack on Colonial Pipeline Co. forced the company to cut off the flow of fuel to much of the U.S. East Coast, leading to gasoline shortages and filling stations running out. Colonial said Wednesday evening that the pipeline was returning to service.
In a statement outlining the order, the White House stated that much of the U.S.’s critical infrastructure is owned and operated by the private sector, and it urged those companies to bolster their own cyber defenses.
“The Colonial Pipeline incident is a reminder that federal action alone is not enough,” according to White House statement. “We encourage private-sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
The executive order was crafted amid a heightened sense of angst over the U.S.’s apparent inability to deter criminal and nation-state hackers, after a series of devastating breaches that have claimed federal agencies, technology companies, hospitals and even a major police department as victims.
The order requires IT service providers with government contracts to share information about cyber-incidents with the U.S., an idea that has previously ran aground because of a reluctance to disclose hacks and contractual barriers, which the White House vowed to remove. The service providers will be required to share the information within specific time lines, a sliding scale based on the severity of the incident, according to a senior administration official, who was granted anonymity to discuss the order.
It also seeks to move the federal government toward more modern and safer computer networks, embracing secure cloud services, encryption and multifactor authentication within six months. The order pledges to improve the government’s ability to detect hackers in its networks and to keep logs of computer activity to ward off hacks and speed up detection after a breach.
The president’s order calls for new standards for the security of the software supply chain, which was compromised as part of the so-called SolarWinds attack last year. In that instance, Russian hackers installed a backdoor in software for Texas-based SolarWinds Corp. software, which some customers installed during updates.
The hackers ultimately infiltrated nine federal agencies and about 100 companies using the SolarWinds’s backdoor, in addition to other methods.
The senior administration official said the order only makes a down payment toward modernizing cyber defenses, and stressed that the White House wants to focus on building more secure software products for Americans. As such, software purchased by the federal government must meet the new standards within nine months, the official said. Other improvements in the federal government will be rolled out within six months.