Are there any major red flags in Biden’s executive order on cybersecurity?

There are gaping holes in this executive order, some of which I can easily pinpoint: What happens to companies that are foreign-owned that sell to the US government? I couldn't find anything about it. In the world of manufacturing, you have cars with parts made in Mexico, Canada and the US, and those vehicles and parts go back and forth across borders. There are now up to 2 million lines of code that go with each car, and when they're all EV there will be up to 3 million. What happens there? That makes a huge difference to how I think corporations will start reacting to this.

Anonymous Author
There are gaping holes in this executive order, some of which I can easily pinpoint: What happens to companies that are foreign-owned that sell to the US government? I couldn't find anything about it. In the world of manufacturing, you have cars with parts made in Mexico, Canada and the US, and those vehicles and parts go back and forth across borders. There are now up to 2 million lines of code that go with each car, and when they're all EV there will be up to 3 million. What happens there? That makes a huge difference to how I think corporations will start reacting to this.
1 upvotes
Anonymous Author
When I wrote a quick blog article on this (https://www.schellman.com/blog/schellman-first-take-on-cybersecurity-executive-order) - I focused on modernizing federal cybersecurity, software security and the supply chain because they were most relevant to my day job. Section 4, “Enhancing Software Supply Chain Security” is where most of the net-new concepts are presented. Rather than propose improvements, it details areas the government hasn't gone after before. Now, if you're a software provider, you'll have to go through an authorization system that’s still unnamed. It shouldn't be a certification program, but in the summary press release they call it an energy star stamp. All of the good practices that we talk about are highlighted: code review, static/dynamic code analysis, testing, separate environments for testing, etc.
0 upvotes