Biden's proposal calls for tougher standards for secure software development, the ability to verify that those standards have been met, and a process for the Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the process, according to the draft.
Vendors will have to provide secure software development documentation to be evaluated and validated by CISA through the agency's software attestation program. Attestations that "fail validation" could be referred to the attorney general for “action as appropriate,” according to the draft.
Tom Kellermann, senior vice president of cyber strategy at cybersecurity company Contrast Security, said the attestation provisions do not go far enough but that he “applauds” the efforts to push more secure software development. The timelines for implementation laid out by the order seem “arbitrary,” he said, given the immediacy of the threats from China, Russia and powerful cybercriminal syndicates.
Tom Kellermann, senior vice president of cyber strategy at cybersecurity company Contrast Security, said the attestation provisions do not go far enough but that he “applauds” the efforts to push more secure software development. The timelines for implementation laid out by the order seem “arbitrary,” he said, given the immediacy of the threats from China, Russia and powerful cybercriminal syndicates.
“They’re already here,” Kellermann said. “We are dealing with literally an insurgency across critical infrastructure and U.S. government agencies that has been stoked by the Russians and Chinese.”
The order also mandates the development of guidelines to securely manage access tokens and cryptographic keys used by cloud providers. Chinese-linked hackers abused this method to access email accounts used by top U.S. government officials in May of 2023, Microsoft said at the time.
Brandon Wales, vice president of cybersecurity strategy at cybersecurity company SentinelOne and formerly a top CISA official, told Reuters the order builds on ongoing work over the last five years to develop capabilities, get the right authorities, and funding. While the threat from China looms large – a “pacing threat” that is “driving the urgency and focus across the government” – the U.S. government and the private sector face a plethora of threats that need to be addressed.
“It makes sense to continue to look for ways to get the most value out of capabilities that have been built over the past two administrations,” Wales said.
The White House declined to comment and CISA did not respond to a request for comment.