Posted In: Cybersecurity & Data Privacy
By Craig S. Horbus & Jarman J. Smith on July 21, 2021
The first half of 2021 was full of high-profile cybersecurity incidents. So much so, the Biden administration has released an executive order containing directives aimed at boosting IT software security.1 In theory, this executive order should help organizations avoid falling victim to cyberattacks similar to those experienced by Colonial Pipeline and JBS. The order tightens cybersecurity rules for government contractors and sets up an incident review board to ease the impact of major cyberattacks.
For months, U.S. government networks have been infiltrated by alleged Russian spies through the exploitation of software made by contractor SolarWinds. Additionally, U.S. businesses and local governments have been vulnerable to cyberattacks due to flaws in Microsoft software alleged to be exploited by Chinese hackers. The string of cyber incidents has influenced congressional investigations and has led U.S. officials to criticize the strength of our network defenses.2 Although the executive order has been in development for weeks ahead of its release, the Colonial Pipeline ransomware attack is what ultimately made cybersecurity a more tangible issue for many Americans, allowing the Biden administration to capitalize on the opportunity to establish an initial foundation of cybersecurity and software standards on the federal level.
Requirements Under New Executive Order
Biden’s cybersecurity executive order requires federal contractors to promptly report cyber incidents to federal agencies, and the incident review board it established is a new government entity modeled after the National Transportation Safety Board that will review major cyber breaches. The order will also require software purchased by the government to meet a baseline set of security standards with hopes that such efforts will prevent cybercriminals from tampering with software code that ends up on federal networks.
The new executive order also aims to raise federal network defenses by mandating agencies to use multi-factor authentication, implement strong data encryption mechanisms, and store backup computer logs to recover from cyber-hacks with greater speed and efficiency. These new requirements should make IT software used within federal networks more secure.
Potential Drawbacks of New Executive Order
The cybersecurity executive order presents a comprehensive set of actions for the federal government to improve the cybersecurity of its networks, but the execution of such actions may be difficult. A framework for federal cybersecurity standards has been talked about for years, but the implementation will prove to be the key factor in establishing more secure networks in the United States. Federal agencies will need to examine whether or not they have the resources to meet the requirements of the executive order. Moreover, technology companies that contract with the federal government will also have to evaluate how the new order impacts their operations. Many private-sector technology companies may have to dramatically change their practices in order to comply with the new federal standards for software security. Nonetheless, it is clear that cybersecurity standards are necessary in this digital age. Thus, the need for a secure network infrastructure outweighs the potential obstacles that government agencies and contractors may face as we boost our cybersecurity efforts throughout the nation.
More Cybersecurity Support Likely to Come
The recent series of high-profile cyber incidents have prompted President Biden to spend more time on cybersecurity policy in his first 100 days in office than any other U.S. president.3 Moreover, lawmakers have urged the Biden administration to heighten its cybersecurity support for pipelines, citing the cyberattack on Colonial Pipeline as an indicator of a lack of regulatory supervision over key components of the U.S. economy. Essentially, lawmakers believe that “any company so vital to our economy that a cyberattack can disrupt the lives of millions of Americans, should be regularly audited by the government, so that our adversaries are not the first ones to discover cybersecurity weaknesses.”4 Perhaps the nation’s shift of attention toward defending ourselves from cyberattacks could be the catalyst needed to unify citizens, lawmakers, businesses, and government agencies in order to establish more defined federal standards for cybersecurity and the protection of consumer data.
How Brouse Can Help
Many companies in the private technology and software development industry that contract with government agencies are impacted by the new executive order. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to develop an understanding of the executive order and to become compliant with its requirements. Along with providing general guidance through the complexities of data privacy laws and regulations, we also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
4 Sen. Ron Wyden, D-Ore., https://www.cyberscoop.com/cyber-executive-order-biden-pipeline-russia-china/
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.