Biden’s executive order aims to strengthen cybersecurity in the United States – ProPublica

On Thursday, in his final week in office, President Joe Biden issued an executive order aimed at strengthening the nation’s cyber defenses, including requiring software vendors like Microsoft to provide proof that they meet certain security standards before be able to sell their products to the federal government.

The action follows a wave of cyberattacks in recent years in which hackers linked to Russia, China and other adversaries exploited software vulnerabilities to steal sensitive documents from federal agencies.

In demanding more accountability from software makers, Biden highlighted cases in which contractors “commit to following cybersecurity practices, but fail to address well-known exploitable vulnerabilities in their software, resulting in exposes the government to the risk of compromise.”

In June, ProPublica reported on a similar case involving Microsoft, the federal government’s largest IT vendor. In the so-called SolarWinds attack, discovered shortly before Biden took office, Russian state-sponsored hackers exploited a weakness in a Microsoft product to steal sensitive data from the National Nuclear Security Administration and other agencies. ProPublica found that for years Microsoft executives ignored warnings from one of their own engineers about the flaw because they feared that publicly acknowledging the flaw would alienate the federal government and cause the company to lose ground. company compared to its competitors.

This culture of profit over security was driven in large part by the rush to capture the multibillion-dollar cloud computing market, the news agency reported. A former Microsoft supervisor described this attitude as, “Do whatever it takes to win, because you have to win.” »

Microsoft defended its decision not to fix the flaw, telling ProPublica in June that the company’s assessment at the time involved “multiple reviews” and that it considered several factors when making decisions in security, including “potential customer disruption, operability and available mitigation measures. » But in the months and years since the SolarWinds hack, Microsoft’s security flaws have contributed to other attacks on the government, including one in 2023 in which hackers linked to the Chinese government took access to emails of senior US officials. The Federal Cybersecurity Review Committee later found that the company had deprioritized security investments and risk management, leading to a “cascade of…preventable errors.”

Good journalism makes a difference:

Our independent, non-profit editorial team has only one mission: to hold the powerful to account. Here’s how our surveys drive real-world change:

We’re trying something new. Was it useful?

Microsoft is committed to putting security “above all else.”

To be sure, Microsoft isn’t the only company whose products have given hackers access to government networks. Russian hackers involved in the SolarWinds attack gained access to victims’ networks through corrupted software updates provided by Texas-based SolarWinds before exploiting the faulty Microsoft product.

To help prevent future hacks, the government wants computer companies to provide proof that they use “secure software development practices to reduce the number and severity of vulnerabilities” in their products, according to the order. Additionally, the government “must adopt more rigorous third-party risk management practices” to audit the use of such practices, Biden said. He requested changes to federal acquisition regulations, the Government Procurement Rules, to implement his recommendations. If fully adopted, violators of the new requirements could be referred to the attorney general for legal action.

Biden also said strengthening the security of federal “identity management systems” was a necessity.
“particularly critical” to improve the country’s cybersecurity. Indeed, the Microsoft product that was the focus of ProPublica’s June article was a so-called “identity” product that allowed users to access almost any program used at work with a single login. By exploiting the weakness of the identity product in the SolarWinds attack, Russian hackers were able to quickly suck up emails from victim networks.

In November, ProPublica reported that Microsoft took advantage of SolarWinds following the attack, offering federal agencies free trials of its cybersecurity products. The move effectively limited these agencies to more expensive software licenses and significantly expanded Microsoft’s footprint within the federal government. The company told ProPublica its offer was a direct response to “an urgent request from the administration to strengthen the security posture of federal agencies.” In his executive order, Biden addressed the consequences of this 2021 request, ordering the federal government to mitigate the risks presented by the “concentration of IT vendors and services,” a veiled reference to Washington’s increased reliance on from Microsoft, which some lawmakers have referred to. as a “cybersecurity monoculture”.

Although the order marks a tougher stance on technology companies that supply the government, enforcement will fall to the Trump administration. It is unclear whether the new president will follow through with the changes to the executive order. President-elect Donald Trump has emphasized deregulation while indicating his administration will take a tough stance on China, one of the nation’s primary cyber adversaries.

Neither Microsoft nor the Trump transition team responded to requests for comment on the order.

Thursday’s executive order was the latest in a series of regulatory efforts impacting Microsoft in the final days of the Biden administration. Last month, ProPublica reported that the Federal Trade Commission was investigating the company as part of an investigation into whether the company’s business practices violated antitrust laws. FTC lawyers have conducted interviews and held meetings with Microsoft’s competitors, and one of the main areas of focus is how the company combines popular Office products with cybersecurity and cloud computing services.

This so-called bundling was the subject of a ProPublica investigation in November, which detailed how, starting in 2021, Microsoft used the practice to exclude competitors from lucrative federal contracts. The FTC views the fact that Microsoft won more federal contracts, even though it left the government vulnerable to hacks, as an example of the company’s problematic market power, a person familiar with the investigation told ProPublica .

Microsoft declined to comment on the details of the investigation, but told the news agency last month that the FTC’s recent request for information is “broad, far-reaching, and requests only things that are out of of the realm of possibility are even logical.

The new leadership of the commission, chosen by Trump, will decide the future of this investigation.