President Biden outlines new software policy following recent cyberattacks
But some say prescriptive regulations may not be the right approach
US President Joe Biden has signed an executive order outlining new steps for software vendors engaging with the government in order to prevent possible future cyberattacks.
Rumors about the order first surfaced in March, on the heels of the SolarWinds cyberattacks directed against multiple government organisations, with the recent ransomware attack on the Colonial Pipeline seemingly the final straw.
Reports quoting an unnamed senior administration official say that the new executive order “reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security.”
- These are the best endpoint protection tools
- Check our list of the best firewall apps and services
- Here’s our collection of the best disaster recovery services
The executive order calls for establishing baseline cybersecurity standards for all software sold to the federal government. It also mandates software vendors to notify their government customers of any cybersecurity breaches.
Wrong approach?
The move has generated a mixed response from the software industry. While the software vendors that TechRadar Pro spoke to welcomed the move, they voiced concerns about the prescriptive nature of the order.
“The new executive order is a swing and a miss from the government. Prescriptive regulations for the software industry simply will not work -- the federal government cannot move quickly enough to effectively regulate how software is built,” said Jeff Hudson, CEO of identity management company Venafi.
Hudson noted that the order fails to address the threat from machine to machine communication. A better approach is for the government to incentivize the software industry to build better, secure software, he added.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Jyoti Bansal, CEO of Traceable and Harness, which develops tools to secure the application development pipeline agrees that prescriptive regulation alone is insufficient.
“The industry as a whole needs to shift security left — ensuring that security is implemented in the software development life cycle instead of waiting to add in security after products are deployed into production,” said Bansal.
“This order, as it stands, will slow down software companies and give attackers the opportunity to innovate faster,” warns Hudson.
- Protect your devices with these best antivirus software
Via The Hill
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.