President Biden’s executive
order to shore up U.S. cybersecurity will force many companies selling software to the
government to report attacks
on their systems, sharing information that officials and
cyber experts say is increasingly important to U.S. security.
The obligations represent a
shift for the private sector,
which has resisted such requirements for fear of financial and reputational damage
resulting from the release of
sensitive information about
breaches.
The government still is determining which vendors the
new rules will cover, which
data about threats they will
require and how quickly companies will need to report.
Regulators’ approach to specific rules in the coming
months will determine the order’s full impact on the private
sector, cybersecurity experts
and software industry lobbyists say.
Despite the outstanding
questions, mandatory breach
reporting will help better secure public and private computer networks, said Amit
Yoran, chief executive of cybersecurity firm Tenable Inc.
“One of the most foundational challenges in cybersecurity is the lack of transparency,” said Mr. Yoran, whose
company sells tools to the Defense Department and other
agencies.
More businesses and lawmakers now call for mandatory breach reporting after the
hack last year of U.S. agencies
and companies through a compromised software update
from SolarWinds Corp.
The Biden administration’s
announcement last week came
as another major cyberattack
yielded real-world consequences. Colonial Pipeline Co.
was restoring service to the
East Coast’s main fuel conduit
after a ransomware attack led
to a five-day outage that
snarled regional gas supply
and increased prices.
The executive order dials
up agencies’ cyber practices
with requirements such as
multifactor authentication and
imposes new standards for
how federal contractors build
and manage software. Regulators in the coming months
plan to issue new guidelines
for how contractors secure
their development environments, encrypt data and
tighten up access to their systems.
A senior administration official said the government
hopes its buying power will
push such safeguards to become the norm among software suppliers, aiding companies such as Colonial Pipeline
that may use the same vendors.
U.S. agencies plan to recommend which cyber incidents
vendors must report to the
government and what information they have to share
about their attempts to prevent, detect and respond to
breaches. Crucially, regulators
will spell out what types of
companies must comply.
“You could apply this to a
narrow category of contractors that have very specific
government contracts,” said
Alex Iftimie, a partner specializing in cybersecurity in the
San Francisco office of law
firm Morrison Foerster LLP.
“Or, theoretically, you could
apply this very broadly to vendors and service providers
that provide services much
more broadly than to the federal government.”
Federal information-technology vendors range from
huge companies such as Microsoft Corp. that provide
workplace tools and cloud
storage to small software developers that help sort documents.
Smaller companies could
face more difficulty complying
with the rules because many
have fewer security staffers or
outsource the monitoring of
their networks, said Scott Algeier, executive director of the
Information Technology Information Sharing and Analysis
Center.
Mr. Algeier, whose consortium shares data about cyber
threats among companies, said
a required time frame for reporting, reaching no more
than three days for incidents
the executive order describes
as “severe,” could be onerous
for cash-strapped firms.
“Do I devote my resources
to getting the adversary out of
the network, or do I devote
my resources to this three-day
reporting requirement?” Mr.
Algeier said.
Aaron Cooper, vice president for global policy at the
BSA | The Software Alliance, a
trade group, cautioned that
mandated reporting of an array of hacks could also deluge
U.S. officials with useless data.
“There’s a burden on the
government side, if they are
collecting too much information about potential cybersecurity incidents, that they
won’t be able to sift through
the noise,” he said. Companies
flooded the Irish data regulator with such reports after the
European Union’s General Data
Protection Regulation took effect in 2018.
Analyzing data from vendors could be a significant
way for U.S. officials to coordinate their response to cyberattacks across government
agencies and with private contractors. The executive order
pushes for standard contractual language in the hope of
unifying different agencies’ security requirements.
Standardized contracts
could help streamline communication between software developers and various agencies
after an incident, said Morgan
Reed, president of ACT | The
App Association, a trade group
for developers.
“That helps remove confusion and helps the speed at
which we can solve problems
and plug holes,” Mr. Reed said