The order had been in the works for months, but it comes after a hack of Colonial Pipeline Co. forced the company to cut off the flow of fuel to much of the U.S. East Coast last Friday, leading to gasoline shortages and filling stations running out.
Colonial said Wednesday evening that the pipeline was returning to service.
A senior administration official told reporters on a conference call that the order only makes a down payment toward modernizing cyberdefenses, and stressed that the White House wants to focus on secure software development on building more secure software products for Americans.
All the software the federal government buys must meet the new standards within nine months, the official said, adding that the improvements in the federal government will be rolled out within six months.
And IT service providers that experience a hack will have new rules for sharing details about the incident, within specific timelines based on a sliding scale on the severity of the incident, added the official, who was granted anonymity to discuss the order.
The attacks on Colonial and one carried out last year on SolarWinds Corp., which compromised popular software to break into several government agencies and dozens of private companies, underscored the vulnerability of both government and private networks.
“Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity,” the White House said in a Wednesday release outlining the order. “These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”
But officials, speaking on condition of anonymity, said that if all the provisions in the order had been in place already, it might not have prevented the attack on SolarWinds or the Colonial Pipeline.
The order requires companies that work with the U.S. government to meet certain software standards, as well require improvements for federal agencies’ basic security practices, including mandating data encryption and two-factor authentication, the official said.
The White House intends to create a cybersecurity incident review board that would investigate attacks.
The hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks in just two hours, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation.
As a result of the shutdown of Colonial — North America’s largest petroleum pipeline — gasoline shortages spread across the U.S. South after motorists raced to fill their tanks.
©2021 Bloomberg L.P. Distributed by Tribune Content Agency, LLC