Exclusive: Software vendors would have to disclose user violations to the US government under the new order: Draft
By Joseph Menn, Christopher Bing, and Nandita Bose
SAN FRANCISCO / WASHINGTON (Reuters) – According to a draft from Reuters, many software vendors are required to notify their customers to the federal government when companies have a cybersecurity breach.
A spokeswoman for the National Security Council said no decision had been made on the final content of the executive order. The order could be published as early as next week.
The SolarWinds Corp hack, leaked in December, revealed, “The federal government must be able to investigate and eliminate threats to the services it provides to the American people early and quickly. Put simply, you can’t fix what you don’t know, “the spokeswoman said.
In the SolarWinds case, hackers suspected of working for the Russian government infiltrated its network management software and added code that the hackers could use to spy on end users.
The hackers penetrated nine federal agencies and 100 companies, including Microsoft Corp. (NASDAQ 🙂 and other big tech companies.
The proposed regulation would take measures that security experts have long been looking for, including requiring multi-factor authentication and encryption of data within federal agencies.
The arrangement would impose additional rules for programs that are classified as critical, such as the requirement of a “software bill of materials” setting out what is in it. An increasing amount of software activates other programs and increases the risk of hidden vulnerabilities.
The notification requirement has the most immediate effects. The rule aims to override nondisclosure agreements that vendors said restrict information sharing and allow officials to report more tampering.
The order would also force providers to keep more digital records and work with the FBI and the Department of Homeland Security’s cybersecurity and infrastructure agency known as CISA when responding to incidents.
In practice, the changes will be made through updates to the state acquisition rules. Large software companies that sell to the government, such as Microsoft and SalesForce, will be affected by the change, said those familiar with the plans.
In the past, Congress has attempted to introduce national data breach reporting law, but has failed due to opposition from industry. Such a bill would have required companies experiencing hacks to publicize them through government agencies.
If completed close to the draft, the implementing regulation would partially achieve the general disclosure objective. A new disclosure law may also be introduced.
The draft regulation would also establish a cybersecurity incident response committee with representatives from federal agencies and cybersecurity companies. The forum would encourage providers and victims to share information, possibly with a combination of incentives and liability protection.
Disclaimer: Fusion Media would like to remind you that the information contained on this website is not necessarily real-time or accurate. All CFDs (stocks, indices, futures) and forex prices are not provided by exchanges, but by market makers. Therefore, prices may not be accurate and may differ from the actual market price. This means that the prices are indicative and not suitable for trading purposes. Therefore, Fusion Media is not responsible for any trading losses you may incur as a result of using this data.
Fusion Media or any person involved with Fusion Media assumes no liability for any loss or damage caused by reliance on the information contained on this website, such as data, offers, charts and buy / sell signals. Please inform yourself comprehensively about the risks and costs associated with trading in the financial markets. This is one of the riskiest forms of investment possible.