Experts fear that Biden’s cybersecurity executive order will repeat mistakes of the past | #microsoft | #microsoftsecurity


Since December, the US has been in a cybersecurity crisis following FireEye’s bombshell that Russian hackers implanted espionage malware throughout US private sector and government networks through the SolarWinds supply chain hack. Despite growing pressure from Congress, the still-new Biden administration has released few details on how it plans to respond to this massive intrusion or the more concerning discovery in January of widespread and scattershot attacks by Chinese state operatives on Microsoft Exchange email server software.

Although the administration reportedly won’t release a formal executive order (EO) addressing these and other cybersecurity matters for weeks, Alejandro Mayorkas, the new head of the Department of Homeland Security (DHS), did reveal that the administration is working on nearly a dozen actions for the order. Meanwhile, some details of the order have leaked, generating mostly skepticism among many top cybersecurity professionals.

EO requires breach reporting, software standards, basic practices

According to a draft executive order seen by some reporters and selected experts, government contractors would be required to report attacks on their networks and software to federal government customers within a few days of discovery, much the same way the EU’s GDPR mandates data breach disclosures to regulatory authorities within 72 hours of discovery. According to reports, the relevant government customers would then pass on the reported data to DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

The order would also reportedly require federal contractors to meet specific software standards and mandate basic security practices, including data encryption and two-factor authentication. The order ostensibly further requires software vendors to secure their build systems, ensuring the software’s disconnection from the internet and tracking the identity of workers who work on the systems.

EO should recognize cloud, embrace new thinking

According to one cybersecurity expert who saw an early, high-level version of the EO, “The first takeaway for me is I’m concerned that there’s not enough recognition of the cloud side of things. It’s clear that that’s going to be a growing vector for future attacks. It is in some ways the part of this risk landscape that we have the least good information about in any detail,” the source tells CSO on background.

“Security standards are great, secure development is good,” the source adds. “It’s important. We’ve been debating this for 20 years. I haven’t seen the EO in its full text, but I’m concerned that we don’t know enough of how much these new policies around secure development have learned the lessons from what’s been tried before.”

Copyright © 2021 IDG Communications, Inc.



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 34 = 42