As President Biden prepares to issue an executive order strengthening cybersecurity for federal agencies and contractors, questions over whether the order goes far enough have arisen in the wake of yet another ransomware attack that shuttered a pipeline providing roughly half of the East Coasts gas and jet fuel, reports the New York Times. The new order would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government, such as multifactor authentication. It would require federal agencies to take a “zero trust” approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities. And it would require that vulnerabilities in software be reported to the U.S. government. The order would also establish a small “cybersecurity incident review board.” The board would be loosely based on the National Transportation Safety Board.
Federal officials concede that the regulations would almost certainly have failed to thwart the most skilled nation-state intrusions and sophisticated disruptions that rocked the government and corporate America in recent months. While the order could be effective against the kind of ransomware attack that took over Colonial Pipeline’s headquarters, which was less sophisticated than Russian and Chinese cyberattacks, it is unclear if the President’s executive order would apply to the private corporation. Meanwhile, the Associated Press reports that ransomware gangs like the one that targeted the pipeline have also begun aggressively pressuring law enforcement agencies to pay ransoms on stolen data, including leaking or threatening to leak highly sensitive and potentially life-threatening information. A threat analyst has counted at least 11 law enforcement agencies affected by ransomware since the beginning of 2020. The attacks are potentially highly damaging when considering the amount of personal information police departments are able to collect and store due to advances in surveillance equipment and technologies such as artificial intelligence and facial recognition software.