Quote:The U.S. federal government is mulling changes to up its cybersecurity software game in the wake of the sprawling SolarWinds cyberattacks that came to light in December, including requiring data-breach notifications.
In a draft executive order from President Joe Biden, software companies would be required to disclose any security issues to government users, according to a report from Reuters.
“The federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly,” a spokeswoman for the National Security Council told the outlet. Referring to the SolarWinds incident, she noted that, “Simply put, you can’t fix what you don’t know about.”
In that campaign, adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March, before being discovered in December. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a massive cyberespionage campaign that has hit nine U.S. government agencies, tech companies like Microsoft and 100 others hard.
The other draft cybersecurity orders in the EO, according to Reuters, include requiring a “software bill of materials” for all packages in use across the government, detailing the source of all code, including open-source and partner pieces. And, it would mandate the use of multifactor authentication and data encryption for federal agencies.
The order as it now stands would also require vendors to keep digital records and work with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on incident response, according to the report.
Read more: E.O. Would Strengthen Federal Cyber Requirements | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
