Movement on regulations and legislation could be slow. So, stepping into the current void of regulation, President Biden on May 12 signed an executive order focused on helping both the public and private sectors prepare and combat malicious cyberattacks. According to the White House, the Order aims to:
The order is part of a broad effort to strengthen the United States’ defenses by encouraging private companies to practice better cybersecurity or risk being locked out of federal contracts. But the bigger effect may arise from what could, over time, become akin to a government rating of the security of software products, much the way automobiles get a safety rating.
Although the new policies and standards in the executive order will apply only to federal governmental agencies, there are still important implications for companies that do business with the federal government and for the private sector in general. For example, the Executive Order directs the federal government to develop a standard set of operational procedures to be used in responding to cybersecurity vulnerabilities and incidents. Even if this standardized approach is voluntary for the private sector, the White House stated that the playbook would “provide the private sector with a template for its response efforts.” To avoid legal liability, private sector entities are likely to choose to follow this playbook in any cyber incident responses.
The Order was hailed by former Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs, who said the order “dramatically increases security expectations of the software products that are sold to the federal government." The former top cybersecurity-focused federal official also noted that he thinks that “it's a really ambitious plan. I think it should be effective if implemented properly.”
Thus far, industry has been cautiously optimistic about Biden’s order. Companies say the standards outlined could bring much-needed clarity to a confusing patchwork of existing federal cybersecurity standards, especially for companies doing business with the federal government. However, industry groups have cautioned that, as always, the devil is in the details. Defining security requirements for federal agencies and their software providers is a difficult task. Until those details are fleshed out, it is impossible to say if the order will move the industry toward a safer system.
Meanwhile, Congress isn’t letting the Colonial Pipeline outage pass without review, announcing May 24 that that Colonial Pipeline CEO Joseph Blount, who has run the pipeline for nearly four years, will appear in a virtual hearing of the House Homeland Security Committee called "Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure" on June 9.