Biden signs exec order to boost cyber security in US

US President Joe Biden has signed a sweeping executive order designed to enhance cyber security in the wake of a series of attacks on American companies that have highlighted the vulnerabilities of data and critical infrastructure.

The executive order on Wednesday establishes standards similar to those for air safety, turning a thus far "laissez-faire attitude" into a pre-emptive approach with industrywide standards and the establishment of a Cybersecurity Safety Review Board co-chaired by the government and the private sector.

A safety labelling system may be introduced - much as New York restaurants now have safety labels in the context of the coronavirus pandemic.

"Singapore has built a cyber-security labelling initiative for Internet-connected devices - that's a great starting point for the United States," a senior administration official told reporters.

"We simply cannot wait for the next incident to happen to be the status quo under which we operate," the official said. "The cost of a continuing status quo is simply unacceptable."

The executive order reflects a "fundamental shift in our mindset, from incident response to prevention", the official said.

Under Singapore's Cybersecurity Labelling Scheme, smart devices are rated according to their levels of cyber-security provisions to enable consumers to make informed purchasing decisions, according to the website of the Cyber Security Agency of Singapore.

The executive order came as many petrol stations on the US east coast ran out of petrol on panic buying following a shutdown last Friday after a cyber attack on Colonial Pipeline, the company that carries almost half of all fuel used on the east coast.

On Wednesday, the company announced a gradual return to operations.

The restart took place at 5pm local time (5am on Thursday in Singapore) but it would take several days for product delivery to return to normal, the company said.

"Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal."

The White House said in a statement: "Recent cyber-security incidents such as SolarWinds, Microsoft Exchange and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.

"These incidents share commonalities, including insufficient cyber-security defences that leave public and private sector entities more vulnerable to incidents."

Much of US domestic critical infrastructure is owned and operated by the private sector, where companies make their own determinations on cyber-security investments.

"We encourage private sector companies to follow the federal government's lead and take ambitious measures to augment and align cyber-security investments," the statement said.

Specifically, the executive order removes barriers to the sharing of threat information between the private sector and the government; companies including IT service providers will be required to share information on certain types of breaches.

The principle is a "zero-trust security model", the senior official said.

The order mandates deployment of multi-factor authentication and encryption. It also improves supply chain security by establishing baseline security standards for development of software sold to the government, and requires developers to maintain greater visibility into their software and make security data publicly available.