Biden Signs Executive Order On Cybersecurity In Wake Of Pipeline Hack
NOEL KING, HOST:
All right. As a result of all of this, President Biden has signed an executive order to improve cybersecurity. It's intended to make the U.S. government and private companies more secure against breaches in the future. NPR's Greg Myre has been following this story. Good morning, Greg.
GREG MYRE, BYLINE: Hi, Noel.
KING: So we meet again on the same topic. The U.S. keeps getting hit by cyberattacks. What is President Biden proposing?
MYRE: Well, Biden's plan stresses the need for a much stronger and more formal partnership between the government and private companies. What we keep seeing are these foreign actors finding vulnerabilities in private U.S. companies. And obviously, they inflict damage on the company but often on the government and the country as well. And these can be criminal gangs, like we've seen here with the Colonial Pipeline hack, or they can be Russian government spies, as we saw in the SolarWinds hack. But regardless of the hacker and the motive, Biden's plan calls for specific steps to be taken before, during and after an attack.
KING: Let's start with before.
MYRE: The government will set security standards for commercial software and will only buy the products that meet these standards. The hope is that this will become the norm for the private sector as well. Senior administration officials said far too much software with weak security is hitting the market, and hackers then find these bugs and exploit them. So the goal is prevention rather than waiting for problems to arise and then patching them afterwards.
KING: That sounds prudent, but it is like whack-a-mole with hackers. They just pop up again and again and again. What if they still find a way in regardless?
MYRE: So the proposal here is a better reporting system. Right now, companies are encouraged to report hacks to the government, but it's not mandatory. The Colonial Pipeline breach is instructive here. The company did contact the FBI when it received a ransom demand last week, but it didn't tell the agency created three years ago to deal with precisely this kind of attack. And that's the Cybersecurity and Infrastructure Security Agency, or CISA. The head of the agency told a Senate committee on Tuesday he's still awaiting technical information so he could share it with other companies at risk. The administration wants to set up a playbook for reporting hacks, and then Congress could also enact a law to require companies to report breaches.
KING: OK. And then what would this executive order have people do after a cyberattack?
MYRE: So the administration is setting up a review board to do the forensics on serious intrusions. It would be similar to the National Transportation Safety Board, which investigates plane crashes and uses that information to help prevent future accidents. But the one thing this plan doesn't address is how to identify and arrest and prosecute hackers who are almost always coming from abroad.
KING: Yeah, tough one there. NPR's Greg Myre. Thank you, Greg.
MYRE: My pleasure.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.