By Joseph Menn, Christopher Bing and Nandita Bose
SAN FRANCISCO/WASHINGTON (Reuters) - A planned Biden administration executive order will require many software vendors to notify their federal government customers when the companies have a cybersecurity breach, according to a draft seen by Reuters.
A National Security Council spokeswoman said no decision has been made on the final content of the executive order. The order could be released as early as next week.
The SolarWinds Corp hack, which came to light in December, showed “the federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about," the spokeswoman said.
In the SolarWinds case, hackers suspected of working for the Russian government infiltrated its network management software and added code that allowed the hackers to spy on end users.
The hackers penetrated nine federal agencies and 100 companies, including Microsoft Corp (NASDAQ:MSFT) and other major tech companies.
The proposed order would adopt measures long sought by security experts, including requiring multi-factor authentication and encryption of data inside federal agencies.
The order would impose additional rules on programs deemed critical, such as requiring a "software bill of materials" that spells out what is inside. An increasing amount of software activates other programs, expanding the risk of hidden vulnerabilities.
The notification requirement will have the most immediate impact. The rule aims to override non-disclosure agreements, which vendors have said limited information sharing, and allow officials to view more intrusions.
The order also would compel vendors to preserve more digital records and work with the FBI and the Homeland Security Department's Cybersecurity and Infrastructure Security Agency, known as CISA, when responding to incidents.
In practice, the changes will occur through updates to federal acquisition rules. Major software companies that sell to the government, like Microsoft and SalesForce, will be affected by the change, said people familiar with the plans.
In the past, Congress has tried to establish a national data breach notification law but has failed because of industry resistance. Such a bill would have obligated companies that experience hacks to disclose them publicly through government agencies.
If finalized in close to the draft form, the executive order would partially achieve the broad disclosure goal. A new law on public disclosure may also be introduced.
The draft order would also create a cybersecurity incident response board, with representatives from federal agencies and cybersecurity companies. The forum would encourage vendors and victims to share information, perhaps with a combination of incentives and liability protections.