President Biden outlines new software policy following recent cyberattacks

But some say prescriptive regulations may not be the right approach

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

US President Joe Biden has signed an executive order outlining new steps for software vendors engaging with the government in order to prevent possible future cyberattacks.

Rumors about the orderfirst surfaced in March, on the heels of the SolarWinds cyberattacks directed against multiple government organisations, with the recentransomwareattack on theColonial Pipelineseemingly the final straw.

Reports quoting an unnamed senior administration official say that the new executive order “reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security.”

The executive order calls for establishing baselinecybersecuritystandards for all software sold to the federal government. It also mandates software vendors to notify their government customers of anycybersecurity breaches.

Wrong approach?

The move has generated a mixed response from the software industry. While the software vendors thatTechRadar Prospoke to welcomed the move, they voiced concerns about the prescriptive nature of the order.

“The new executive order is a swing and a miss from the government. Prescriptive regulations for the software industry simply will not work – the federal government cannot move quickly enough to effectively regulate how software is built,” said Jeff Hudson, CEO of identity management company Venafi.

Hudson noted that the order fails to address the threat from machine to machine communication. A better approach is for the government to incentivize the software industry to build better, secure software, he added.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Jyoti Bansal, CEO of Traceable and Harness, which develops tools to secure the application development pipeline agrees that prescriptive regulation alone is insufficient.

“The industry as a whole needs to shift security left — ensuring that security is implemented in the software development life cycle instead of waiting to add in security after products are deployed into production,” said Bansal.

“This order, as it stands, will slow down software companies and give attackers the opportunity to innovate faster,” warns Hudson.

ViaThe Hill

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

3 reasons why PIA fell in our best VPN rankings

Is it still worth using Proton VPN Free?

I fell in love with the cute and compact Hyundai Inster, but it has one major drawback