No one is banned!

[blackhawks]

Remember Trump's cyber security initiatives? Me neither.


Biden Plans an Order to Strengthen Cyberdefenses. Will It Be Enough?

A hacking of a major pipeline, the latest evidence of the nation’s vulnerabilities to cyberattacks, prompted questions about whether the administration should go further.

The spate of recent cyberattacks includes the major SolarWinds hack by Russia.

By David E. Sanger, Nicole Perlroth and Julian E. Barnes

May 9, 2021

https://www.nytimes.com/2021/05/09/us/politics/biden-cyberattack-response.html

WASHINGTON — A pipeline that provides the East Coast with nearly half its gasoline and jet fuel remained shuttered on Sunday after yet another ransomware attack, prompting emergency White House meetings and new questions about whether an executive order strengthening cybersecurity for federal agencies and contractors goes far enough even as President Biden prepares to issue it.

The order, drafts of which have been circulating to government officials and corporate executives for weeks and summaries of which were obtained by The New York Times, is a new road map for the nation’s cyberdefense.

It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government, such as multifactor authentication, a version of what happens when consumers get a second code from a bank or credit-card company to allow them to log in.

It would require federal agencies to take a “zero trust” approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities. And it would require that vulnerabilities in software be reported to the U.S. government.

Violators would risk having their products banned from sale to the federal government, which would, in essence, kill their viability in the commercial market.

“That is the stick,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “Companies will be held liable if they’re not telling the truth.”

The order, which is expected to be issued in the coming days or weeks, would also establish a small “cybersecurity incident review board.” The board would be loosely based on the National Transportation Safety Board, which investigates major accidents at air or sea.

The measures are intended to address the fact that the software company SolarWinds made for such an easy target for Russia’s premier intelligence agency, which used its software update to burrow into nine federal agencies as well as technology firms and even some utility companies.

(Despite SolarWinds’ incredible access to federal networks, an intern had set the firm’s password to its software update mechanism to “SolarWinds123,” among other lapses, though it remains unclear how Russian hackers first breached the company.)