Amit Yoran, the chief executive at security outfit Tenable, said the Colonial attack underlined how critical the new executive order was to the national security of the US.
The order lists measures to be taken across software suppliers and purchasing, sharing of threat information, modernising the federal government's cyber security posture, and improving the security of software supply chains.
"The question on everyone's mind is whether the executive order will stop the next SolarWinds or Colonial Pipeline attack," said Yoran, who is also a founding director of US-CERT in the US Department of Homeland Security. "Make no mistake — no one policy, government initiative or technology can do that. But this is a great start."
Yoran said within the next year, all software vendors for the Federal Government would need to have an established software development lifecycle.
All security vendors going through the Executive Order and trying to put together their marketing plans for it :-) pic.twitter.com/cZhwIxW0H4— Augusto Barros (@apbarros) May 13, 2021
"This speaks directly to the gaping supply chain security issues that SolarWinds brought to attention — one broken chain link can bring down the entire fence. While these practices won't prevent all supply chain breaches, it's an important step forward," he said.
"Part of the new guidelines includes breach notification requirements for software suppliers. This forces much-needed transparency and accountability across the private sector which have been avoided for too long. This should be a welcome change by all – technology vendors, government agencies and end-users.
"However, the next and arguably most important step is implementation. While we're encouraged to see cyber security play a prominent role in President [Joe] Biden's policy initiatives, we must now focus our attention on making this executive order actionable."
James Hayes, vice-president for Global Government Affairs at Tenable, said: "As more and more organisations look to zero-trust security as the way forward, this executive order takes a bold step forward in making sure the days of bolting security onto critical systems as an afterthought are upended.
"This detailed order will require federal agencies and their private sector partners to share information and double down on the cyber security basics to successfully drive a zero-trust framework throughout the federal enterprise.
"The past year exposed significant vulnerabilities within our digital infrastructure. We are still learning the full scope and scale of these cyber attacks, and it's becoming clear that, in order to prevent something like this from happening again, the Federal Government and the private sector must partner together to implement smart cyber policies and best practices."
Andrew Rubin, chief executive and co-founder, micro-segmentation provider Illumio, said: "Cyber complacency has been plaguing the federal system for decades, as recently evidenced by the catastrophic breach involving SolarWinds. This new executive order acknowledges that we fundamentally need to change the way we think about cyber resiliency – and it starts with zero trust.
"Globally, we spent US$173 billion (A$223.8 billion) on cyber security last year. Yet in the past year alone we've seen more catastrophic breaches than at any other time in history. Despite our failing strategy and terrible outcomes, the US has continued to take the same approach to federal cyber security as we did 20 years ago."
He said that the new administration had changed that by finally acknowledging the failings of an outdated federal cyber security model, and laying bare the first iteration of a new security design founded on zero trust.
"Cyber complacency isn't just an American problem, or a federal problem, or a policy problem – it's a global problem. That's why I welcome this executive order with open arms. It's a call to action to the world that we need to change the way we protect ourselves," Rubin said.
"This is the first time in history that a US president has acknowledged that we cannot stop all security incidents. Signing this executive order — mandating zero trust and segmentation — has become a public demonstration that detection does not work 100% of the time.
"Our complete reliance on detection to find and stop bad things is no longer an option. With bad actors and nation-states operating at all-time high levels of sophistication, a failure to recognise this will result in a small incident turning into a catastrophic attack – with the potential to impact human lives.
"We need segmentation and we need zero trust – and the government has now publicly declared this vital."