Biden Signs Cybersecurity Executive Order Following Colonial Pipeline Hack
AILSA CHANG, HOST:
President Biden signed an executive order today to boost the country's cyber defenses. It follows several major cybersecurity incidents, including the ransomware attack on a pipeline company that has prompted gas shortages in the southeast. The broad order seeks to strengthen cybersecurity for federal networks and outline new security standards for commercial software used by businesses and the public. The White House says it's about shifting the mindset from always responding to incidents to preventing them before they happen. Here with more is NPR White House correspondent Franco Ordoñez. Hey, Franco.
FRANCO ORDOÑEZ, BYLINE: Hey, Ailsa.
CHANG: So what more can you tell us about this executive order?
ORDOÑEZ: Well, the border - the order basically lays out a series of new requirements for companies that do business with the government. It requires companies to report breaches and share cyber threat information. It also updates security standards on government networks, including mandating multifactor authentication. It also establishes a Cybersecurity Safety Review Board to review these incidents. It's modeled on the National Transportation Safety Board that reviews airplane incidents. I mean, the Biden administration says that the Colonial Pipeline attack, as well as the recent SolarWinds and Microsoft Exchange attacks just make clear how vulnerable our public and private networks are and that the status quo is no longer acceptable.
CHANG: Yeah. Well, I get that the government can control what happens on its own networks. But if there's a lot of concern about private companies, what does this executive order do about their cybersecurity?
ORDOÑEZ: Well, part of it is increasing the security requirements for companies that the government does business with, the idea being to use the purchasing power of the federal government to get those higher standards to trickle down through the private sector. They want a pilot program like those Energy Star ratings on appliances so consumers know if software was developed securely. Here is deputy national security adviser Anne Neuberger talking about that point last month with NPR's Dina Temple-Raston.
(SOUNDBITE OF ARCHIVED NPR BROADCAST)
ANNE NEUBERGER: We see small companies being forced to pay a ransom to get their business back up and running. You know, we see school systems' networks down due to criminals. So those risks touch everyday Americans' lives as well as at the national level.
CHANG: All true. Well, I know that President Biden does plan to meet with Russian President Vladimir Putin. He didn't directly accuse the Russian government of being behind the Colonial Pipeline attack, but he did suggest that they had some responsibility, right?
ORDOÑEZ: Yeah. Biden has said, you know, many times that these hacking attacks on the United States are just not acceptable, but that the Russians have not stopped it or they're implicitly allowing it to happen. Now, the leaders are expected to speak next month. And as part of their conversation, they're expected to talk about arms control. And this could be part of that. Matthew Rojansky, the director of the Kennan Institute, who is close to the administration, told me it makes sense for the two sides to use this opportunity to start outlining some rules of engagement.
MATTHEW ROJANSKY: And you can start just by laying out red lines and talking about deterrence. You know, if you do X, we do Y. You don't want Y, so don't do X. But you can move from there eventually, you know, build a little bit of working trust and possibly establish an actual framework that looks like arms control.
ORDOÑEZ: Now, Rojansky says both governments are vulnerable, and it's in both of their interests to establish some guidelines and establish basically what's acceptable behavior and what's not.
CHANG: That is NPR's Franco Ordoñez. Thank you, Franco.
ROJANSKY: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.