By Christopher Bing and Nandita Bose
WASHINGTON (Reuters) -President Joe Biden on Wednesday ordered the creation of an air accident-style cyber review board and the imposition of new software standards for government agencies following a spate of digital intrusions that have rattled the United States.
The executive order’s initiatives include the creation of a organization that would investigate major hacks along the lines of National Transportation Safety Board inquiries that are launched after plane crashes. They also include the imposition of new security standards for software bought by government agencies – a requirement first reported by Reuters in March.
The order follows a digital extortion attempt against major fuel transport company Colonial Pipeline that triggering panic buying and fuel shortages in the southeastern United States.
Some recommendations were clearly aimed at avoiding a repeat of the hack of Texas software company SolarWinds, whose software was hijacked to break into government agencies and steal thousands of officials’ emails.
The software rules – which are due to be drawn up by the U.S. National Institute of Standards and Technology – were among the most important parts of the order, said Kiersten Todt, the managing director of the Cyber Readiness Institute, which is geared toward helping protect small- and medium-sized businesses.
“It’s using the government’s buying power to improve the security of software,” Todt said, saying that if drafted correctly, the rules “will be a game changer in security.”
Other rules imposed by the order mandate the use of multi-factor authentication – effectively a second failsafe password – and the use of encryption both for stored data and communications.
The order follows an series of dramatic or damaging hacks against American interests. Beyond the digital ransom demand imposed on Colonial – which sources told Reuters the company did not intend to pay – and the SolarWinds-linked compromises, foreign hackers have also used vulnerabilities in software made by Microsoft and Ivanti to extract data from U.S. government targets.
Senator Mark Warner, a Democrat who chairs the Senate Intelligence Committee, said the executive order is a good first step but the United States “is simply not prepared to fend off state-sponsored or criminal hackers intent on compromising our systems for profit or espionage.”
“Congress is going to have to step up and do more to address our cyber vulnerabilities,” he said.
(Reporting by Christopher Bing and Nandita Bose; Additional reporting by Raphael Satter and Steve Holland; Editing by David Gregorio, Stephen Coates and Lincoln Feast.)