On Wednesday May 12, President Biden signed an extensive executive order (EO) on improving the United States’ cybersecurity stature. The E.O. is directed at US federal departments and agencies, and federal contractors, but its impact and resultant standards will likely have a much broader impact across global critical infrastructure sectors and related technology suppliers.
Influenced by a series of serious cyber-attacks, the E.O. acts as an acknowledgement that the United States will continue to face sophisticated cyber threats and progressively more severe impacts. Recent attacks affecting SolarWinds and Colonial Pipeline, in addition to attacks on healthcare and other critical infrastructure sectors, have been highly disruptive and have also exposed significant software supply chain vulnerabilities.
And while the directives contemplated in the E.O. will technically apply only to US federal departments, agencies, and their technology suppliers, it’s likely that they will also be adopted by broader categories of buyers and suppliers across critical infrastructure to be used as a “north star” for security expectations.
The US government and private industry alike find it challenging to share accurate and actionable threat intelligence. The E.O. acknowledges the unique visibility that technology providers have into threat activity and seeks to foster more sharing of threat intelligence to advance economic and national security across sectors. Additionally, the E.O. aims to expand breach notification expectations for software product and service providers—an important step towards reducing the window of opportunity attackers have to mount repeatable attacks on multiple targets.