Biden Order Aims To Tighten Software Security Practices -- Redmondmag.com

Biden Order Aims To Tighten Software Security Practices

By Kurt Mackie
05/13/2021

The Biden administration on Wednesday announced an executive order aiming to tighten software security practices generally, following recent attacks.

Those recent attacks included the "SolarWinds, Microsoft Exchange, and the Colonial Pipeline" incidents, the announcement indicated. Government agencies recently issued security practices advice after a ransomware attack last week on Colonial Pipeline, which disrupted U.S. East fuel supplies. A Thursday report by Bloomberg stated that Colonial Pipeline paid almost $5 million to the attackers, citing unnamed sources, but it had trouble decrypting the ransomed data after getting the key.

Several measures are indicated in the executive order. While the measures apply to federal agencies, the aim is to influence private sector practices, too, steered by federal purchasing power.

"We encourage private sector companies to follow the Federal government's lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents," the announcement stated.

The executive order aims to remove contractual barriers to information sharing between IT service providers and the government, although it didn't describe how that task would be accomplished. The order also calls for standardizing federal agencies' responses to cybersecurity incidents.

A Cybersecurity Safety Review Board, combining government officials and the private sector, is getting formed to make recommendations on cybersecurity. It'll be modeled after the National Transportation Safety Board, which reviews airline safety, incidents and crashes.

The order advocates the federal use of zero-trust architectures, with secure use of cloud-based services. Additionally, the order "mandates deployment of multifactor authentication and encryption with a specific time period," although details weren't provided.

The order described establishing a "Government-wide Endpoint Detection and Response (EDR)" system to better share information on security incidents. Federal agencies also are ordered to establish "robust and consistent logging practices."

A pilot program to label software, indicating the degree to which secure software development practices were used, is described in the order. This program might take the form of the current Energy Star program, which oversees energy-efficiency labels.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.