Politics
Exclusive: Software Vendors Would Have To Disclose Breaches To U.S. Government Users Under New Order
SAN FRANCISCO: A planned Biden administration executive order will require many software vendors to notify their federal government customers when the companies have a cybersecurity breach, according to a draft seen by Reuters.
A National Security Council spokeswoman said no decision has been made on the final content of the executive order.
The SolarWinds hack, which came to light in December, showed “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about,” the spokeswoman said.
The proposed order outlines several digital security recommendations, including the notification requirements for service providers, according to four people familiar with the plan.
The order also will require vendors to preserve more digital records for investigating hacks and work with the FBI and the Homeland Security Department’s Cybersecurity Infrastructure Security Agency, known as CISA, when responding to incidents.
In practice, the change will occur through updates to federal acquisition rules. Major software companies that sell to the government, like Microsoft or SalesForce, would be affected by the change, said two of the people familiar with the plans.
In the past, Congress has tried to establish a national data breach notification law but has failed because of industry resistance. Such a bill would have compelled companies who experience hacks to disclose them publicly through government agencies, rather than keep them secret.
Software from the U.S. tech company SolarWinds was used as a springboard to compromise a raft of U.S. government agencies. The operation, which was identified in December and which the U.S. government has said was likely orchestrated by Russia, gave hackers access to thousands of companies and government offices that used its products.
Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor