- The U.S. government is pushing for a new order that will compel all software vendors to report breaches immediately.
- This will save time and money as the investigation and remediation process will occur in an earlier phase.
- Software firms may also have to share internal records with the FBI, CISA, and a group of federal agents.
The Biden administration is readying a new executive order that will compel all software vendors to disclose any data breaches to the U.S. government immediately. Reuters is reporting on this new executive order, claiming to have seen a draft, and according to it, we may see it in its final form as early as by next week. There’s apparently great disquietude in the government about the potential threats that could be coming from numerous directions, and an order like the one reported could help get things under control.
Obviously, the December SolarWinds supply chain attacks that resulted in the compromise of hundreds of high-level organizations and firms was a clear warning about the need for a fundamentally different reporting system. Then came the Microsoft Exchange problem that was soon discovered to be a known thing for a least a couple of months. If the infosec agencies knew about either case earlier, their effects would be greatly mitigated, and the subsequent costs from the disruption would be way lower.
According to sources invoked by Reuters in the same report, the breach notification requirement would override any non-disclosure agreement that may be in place, so there will be no excuses based on protecting property or anything like that. Only major software companies that supply the government with products may be obliged to comply with the order, but at this point, nothing is certain.
Also, the software vendors will have to preserve digital records that will be at least partially accessible by the FBI, the CISA, and possibly also the NSA. When incidents occur, this access could be opened up to “full,” accelerating the development of defensive mechanisms and preventing threats from becoming a widespread and a lot more expensive problem.
In addition to all the above, the final executive order may also include the creation of a cybersecurity incident response board that will comprise representatives from key federal agencies as well as private infosec companies. Along the way, and after having done with all that is still in containment, this forum may pass to a precautionary and advisory role.