(Bloomberg) — Companies doing business with the federal government would be required to report hacks of their computer networks within a few days, according to a draft executive order that the Biden administration is urgently trying to complete, people familiar with the matter said.
President Joe Biden hasn’t yet signed off on the executive actions, which are likely to reach his desk in the next two weeks, one of the people said.
The executive order, when signed, would mandate important cybersecurity improvements, but it also would push basic changes that could deter cyber-attacks in both the government and private sector, according to people familiar with it. They requested anonymity to speak about actions the administration hasn’t yet announced.
The order is part of a number of new initiatives pursued by the administration’s new cybersecurity team, which is hoping to take advantage of the crisis created by what is known as the SolarWinds hack to institute a broad security overhaul. The administration is seeking stronger protections of the electrical grid and wider government visibility into some private-sector networks.
The order would also require companies that work with the U.S. government to meet certain software standards, as well require improvements for federal agencies’ basic security practices, including mandating data encryption and two-factor authentication.
Homeland Security Secretary Alejandro Mayorkas said Wednesday that an executive order on cybersecurity would include nearly a dozen actions.
Anne Neuberger, Biden’s deputy national security advisor for cyber and emerging technology, told reporters in February that at least nine government agencies and 100 U.S. companies were breached by the suspected Russian hackers, who installed malicious code in updates to SolarWinds Corp. software. The hackers could then use the malicious code as a sort of backdoor to infiltrate SolarWinds customers who received the compromised update.
The hack was discovered by the cybersecurity company FireEye Inc., which disclosed it December.
The executive order would ask software and hardware vendors who become aware of a hack to notify their customers in the federal government within a few days, people familiar with the draft language said. The proposal is designed to fix longstanding issues that keep companies from sharing security incidents with the government, including a fear of reputational damage and non-disclosure agreements that prevent sharing the information.
That information would then be passed to the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. While the requirement would be part of the executive order, some details — including protocols for protecting that information — would be worked out by a designated task force of officials and experts, according to an administration official.
Software vendors would be required to secure their so-called build systems — where complex software is assembled — by insuring they aren’t accessible to the internet and that the identity of workers who access the code is protected by two-factor authentication, among other measures, the official said.
Biden officials also want software companies selling to the government to be more transparent about their products. The order would require the companies to provide the government with a “software bill of materials” that breaks down the various pieces of code in a software product, according to several people familiar with the draft order. The move would give both the government and other customers a better chance at spotting hidden flaws in the software that can be exploited by hackers.
A key element of the order would be the requirement that government agencies encrypt the data now stored in their computers, which would make it unreadable by hackers. An senior administration official declined to specify which agencies had the poorest record when it came to deploying basic security measures but said problems were found in every agency examined.