That attack, which temporarily shut down the pipeline supplying fuel to the eastern United States this week, caused gas stations to run dry and gas prices to spike as Americans flocked to the pumps in a spurt of panic buying.
A senior administration official likened the new requirements and labeling to purchasing a minivan with reliable ratings or building an earthquake-proof building in an area prone to seismic activity.
“The growing number and impact of incidents show us software security has to be a basic design consideration,” the official said.
The order would also create new protocols following a hack, requiring agencies and companies to share information with the federal government in the hopes of preventing the incident from spreading. A new panel will be created to review cybersecurity incidents similar to the transportation board that investigates plane crashes.
The order is limited to products and companies used by the federal government. But administration officials said they were hopeful the government’s vast purchasing power would spur other companies to follow suit in order to remain competitive. And many of the products used by the government — including Microsoft’s Outlook platform and Juniper’s networking products — are used widely in the private sector.
A senior administration official said those incidents shared commonalities, including poor software security and “a laissez-faire attitude toward cybersecurity.”
“For too long we’ve failed to take steps to modernize our cybersecurity defenses because doing so takes time, effort and money. Instead we’ve accepted we’ll move from one incident response to the next,” the official said.
Still, officials acknowledged that companies like Colonial Pipeline will not necessarily be subject to the requirements for federal contractors, even if the trickle-down effect on software would apply to their networks.
Instead, an official expressed hope that both private companies like Colonial and lawmakers looking to draft cybersecurity legislation would look to the new executive order as establishing “goalposts” for further action.