As part of a broad effort to strengthen the United States’ defenses by encouraging private companies to practice better cybersecurity or risk being locked out of federal contracts, President Joe Biden signed an executive order on Wednesday that placed strict new standards on the cybersecurity of any software sold to the federal government, reports the New York Times. The order comes amid a wave of new cyberattacks, more sophisticated and far-reaching than ever. Over the past year, roughly 2,400 ransomware attacks have hit corporate, local and federal offices in extortion plots that lock up or publish victims’ data if they fail to pay a ransom.
For the first time, the United States will require all software purchased by the federal government to meet, within six months, a series of new cybersecurity standards. Although the companies would have to “self-certify,” violators would be removed from federal procurement lists, which could kill their chances of selling their products on the commercial market. The order also establishes an incident review board to learn lessons from major hacking episodes such as the SolarWinds hack. The new order requires all federal agencies to encrypt data, whether it is in storage or while it is being transmitted. Previous efforts to mandate minimum standards on software have failed to get through Congress in the face of protest from small companies that say the changes are not affordable, and larger ones that have opposed an intrusive role of the federal government. The new order focuses entirely on deepening defenses, in hopes of deterring attackers because they fear they would fail—or run a higher risk of being detected.