A rumored new US presidential order could force software vendors to notify their government customers of any cybersecurity breaches.
According to Reuters, the order, which could come into force as early as next week, makes several key changes to federal software acquisition rules, mainly in light of the SolarWinds supply-chain attack late last year.
The SolarWinds hack affected hundreds of public and private networks across the globe, including dozens of federal networks in the US. Instead of directly attacking the federal networks, the threat actors targeted a third-party vendor, SolarWinds, which supplies software to them.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Software bill of materials
By compromising a piece of software in the supply chain, the hackers created multiple entry points to get inside secured networks.
To correct this, the proposed order calls for vendors supplying software solutions to US government agencies, to submit a software bill of materials, which lists details about other software and tools that have been rolled into the solution.
While this wouldn’t be an issue for open source software, for a majority of proprietary software, compiling and sharing such details would entail breaking non-disclosure agreements (NDA).
“The federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly. Simply put, you can’t fix what you don’t know about,” the spokeswoman reportedly told Reuters.
It’s also reported that the order compels government software suppliers to increase their digital record keeping and coordinate with the FBI and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) when responding to any future cybersecurity attacks.
This would be similar to the GDPR currently in force in Europe, under which any company that is hit by a data breach has to inform the relevant authorities within 72 hours of becoming aware of the incident.
Some of the world’s biggest names, including the likes of British Airways, Marriott and EasyJet, have suffered data breaches recently, potentially meaning millions of users could potentially be at risk of fraud.
Via: Reuters