President Biden’s executive order on Wednesday to shore up U.S. cybersecurity will force many companies selling software to the government to report attacks on their systems, sharing information that officials and cyber experts say is increasingly important to U.S. security.
The obligations represent a shift for the private sector, which has resisted such requirements for fear of financial and reputational damage resulting from the release of sensitive information about breaches.
The government still is determining which vendors the new rules will cover, what data about threats they will require and how quickly companies will need to report. Regulators’ approach to specific rules in the coming months will determine the order’s full impact on the private sector, cybersecurity experts and software industry lobbyists say.
Despite the outstanding questions, mandatory breach reporting will help better secure public and private computer networks, said
chief executive of cybersecurity firm Tenable Inc.
“One of the most foundational challenges in cybersecurity is the lack of transparency,” said Mr. Yoran, whose company sells tools to the Defense Department and other agencies.
More businesses and lawmakers now call for mandatory breach reporting after the hack last year of U.S. agencies and companies through a compromised software update from
The Biden administration’s announcement came as another major cyberattack yielded real-world consequences. Colonial Pipeline Co. on Wednesday began restoring service to the East Coast’s main fuel conduit after a ransomware attack led to a five-day outage that snarled regional gas supply and increased prices.
The executive order dials up agencies’ cyber practices with requirements such as multifactor authentication and imposes new standards for how federal contractors build and manage software. Regulators in the coming months plan to issue new guidelines for how contractors secure their development environments, encrypt data and tighten up access to their systems.
A senior administration official said Wednesday the government hopes its buying power will push such safeguards to become the norm among software suppliers, aiding companies such as Colonial Pipeline that may use the same vendors.
In the next 45 days, U.S. agencies plan to recommend which cyber incidents vendors must report to the government and what information they have to share about their attempts to prevent, detect and respond to breaches. Crucially, regulators will spell out what types of companies must comply.
“You could apply this to a narrow category of contractors that have very specific government contracts,” said Alex Iftimie, a partner specializing in cybersecurity in the San Francisco office of law firm Morrison Foerster LLP. “Or, theoretically, you could apply this very broadly to vendors and service providers that provide services much more broadly than to the federal government.”
Federal information-technology vendors range from huge companies such as
that provide workplace tools and cloud storage to small software developers that help sort documents.
Smaller companies could face more difficulty complying with the rules because many have fewer security staffers or outsource the monitoring of their networks, said Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center.
Mr. Algeier, whose consortium shares data about cyber threats among companies, said a required time frame for reporting, reaching no more than three days for incidents the executive order describes as “severe,” could be onerous for cash-strapped firms.
“Do I devote my resources to getting the adversary out of the network, or do I devote my resources to this three-day reporting requirement?” Mr. Algeier said.
Aaron Cooper, vice president for global policy at the BSA | The Software Alliance, a trade group, cautioned that mandated reporting of an array of hacks could also deluge U.S. officials with useless data.
“There’s a burden on the government side, if they are collecting too much information about potential cybersecurity incidents, that they won’t be able to sift through the noise,” he said. Companies flooded the Irish data regulator with such reports after the European Union’s General Data Protection Regulation took effect in 2018.
Analyzing data from vendors could be a significant way for U.S. officials to coordinate their response to cyberattacks across government agencies and with private contractors. The executive order pushes for standard contractual language in the hope of unifying different agencies’ security requirements.
Standardized contracts could help streamline communication between software developers and various agencies after an incident, said Morgan Reed, president of ACT | The App Association, a trade group for developers.
“That helps remove confusion and helps the speed at which we can solve problems and plug holes,” Mr. Reed said.
Write to David Uberti at email@example.com and Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8