W. O m p l y dot com slash NPR and by the listeners and supporters of KQED Public Radio 88.5 FM in San Francisco. And 89.3 FM in Sacramento, 5 22. It's morning edition from NPR News. I'm Steve Inskeep. And I'm Rachel Martin. You might remember that just before President Biden took office, the U. S discovered a massive Russian hack of a Texas software company called Solar Winds. Now the Biden administration plans to release an executive order to prevent future hacks. Dina Temple Raston of NPR's Investigations team spoke exclusively with the senior White House adviser in charge of the response. The U. S. Hasn't had much of a strategy to battle cyber attacks, and Neuberger thinks it requires a change in the way we think about them. We're working to shift our mindset from responding incident by incident to preventing them in the first place. She's the deputy national security advisor for cyber and emerging technology at the White House. She's working on an executive order slated for release in just a couple of weeks. Among other things, the order will create something like the National Transportation Safety Board. Think of a hack like a plane crash. Justus. The NTSB inspects the wreckage to see if there needs to be a systematic fix. Ah, Cyber NTSB would paw through code another evidence to do the same. What can we learn with regard to how we get advanced warning of such incidents? What allowed it to be successful? Potentially what allowed to be brought if itwas which sectors were affected? Why And so do you think that the NTSB is a good metaphor for it? We do new Burger says. We need a new strategy because we've become so connected. All of us are vulnerable to attack. There still isn't a unified plan for how to respond. For example, when companies get hacked a lot of them don't tell anyone a way to fix that New Burger says would be to require federal contractors to report any breach. If you're doing business with the federal government, then when you have an incident, you must notify us quickly. Because we'd like to take that incident and ensure that the tactics techniques and procedures information is broadly shared Cos they're supposed to report attacks to the Department of Homeland Security now. But because it isn't required many don't in next month's executive order, Newberger said. They'll set this as a goal, provide a timeline and then establish a process to work out the details. Alex Thomas runs the Internet Observatory at Stanford University. This is actually kind of a weakness in our overall. Cyber strategy is a country is that nobody is really in charge of looking at the big picture. He liked the idea of a cyber NTSB and getting perspective on the threat. You have the FBI, which is deeply involved in instant response, but they're there to enforce the law, right? It is not their job to come up with conclusions for the entire society. You have DHS Sista, the Cyber Security Infrastructure Security agency. Their job is to work on defense, So they're probably the closest of the agencies to this, but they don't have any investigative powers. And so we're in this weird position where It's really nobody's job in six months to tell us what happened. What happened is that Russian hackers piggybacked on a solar winds Software update and then slipped right into fortune 500 companies and government computer networks. Neuberger says. That's a problem that needs to be addressed. If you are, I are going out to buy network management software like solar winds on we want to buy the software that is most secure. We have no way Dina of assessing which that is, she suggests there's a way that the federal government can incentivize private companies to be safer. One of the government contract no longer went to the lowest bidder, but instead was awarded to a company that could document exactly how and where their software was built. You know what I'm willing to pay $5 more for the more secure software because I don't want to bring more risk into my network, and they would need to say where they're code was written and maintained. Kirsten Todd is the managing director of the cyber reading this institute. She helped the Obama administration think through cyber issues, and she's been briefed on the new order. I think it's a first step. It's definitely not the Holy Grail. Well, it's not a destination. It's the departure point, but it's easier said than done. The key is going to be and how each of these elements of the executive order executed. And really how government is going to bring industry and to perform the functions to really look pre event middle of event post event and how we take those lessons learned and integrate them. Todd thinks the government is going to have to work with companies to tell them what secure software looks like. And an executive order alone won't do that. And while you may never have heard of solar winds have been affected by that attack. We are all increasingly vulnerable. You know, cyber threats loom large in a way that Americans feel and Neuberger again. Can we trust on water power to be resilient? We see a small companies being forced to pay a ransom to get their business back up and running and we see school systems networks down due to criminal so those risk touch everyday Americans lives as well as at the national level. The Biden administration has already leveled sanctions against Russia for the solar winds attack. And the White House has said there would be more seen and unseen responses to the breach. The unseen responses like whether the Biden administration is preparing an attack of cyberspace, Neuberger declined to talk about directly. Dina Temple Raston NPR news Let's take a moment now to remember Michael Collins, the third astronaut on one of the most famous space missions in history, 5432. One Syria Way had left.