Biden's Last-Minute Cybersecurity Executive Order: A Comprehensive Push for Digital Defense

Biden signs 11th-hour cybersecurity executive order

Ransomware, AI, secure software, digital IDs - there's something for everyone in the presidential directive Analysis Joe Biden, in the final days of his US presidency, issued another cybersecurity order that is nearly as vast in scope as it is late in the game. The sweeping directive, signed Thursday, covers a range of topics including securing federal communications networks against foreign snoops, issuing tougher sanctions for ransomware gangs, requiring software providers to develop more secure products, and using AI to boost America's cyber defense capabilities, among others. This latest presidential mandate follows a year of unprecedented attacks by Chinese government spies who have been spotted lurking in federal and telecommunications networks and burrowing into critical infrastructure to prep for future destructive cyberattacks. Additionally, ransomware criminals disrupted thousands of pharmacies and hospitals across the US and stole sensitive information belonging to around 100 million people after locking up Change Healthcare's systems in February. Also on Thursday, Microsoft warned that the Russian Federal Security Service's online arm was back with a new data-stealing phishing campaign despite the feds and Microsoft seizing or taking down more than 180 websites related to that activity since October. And it comes just days before Donald Trump becomes America's 47th president, despite many of the deadlines stretching well into the new administration's takeover. It's a bit of a Hail Mary designed to include everything possible and just see what sticks While the US is facing serious cyber threats from nation states and financially motivated criminals alike, several of the executive order's components may be dead on arrival. "Given the timing right before a change in the administration, I can't help but think it's a bit of a Hail Mary designed to include everything possible and just see what sticks," Wallarm security strategist Tim Erlin told The Register. "It's important to keep in mind that these executive orders, while sweeping in their intentions, are limited in scope and often significantly delayed in their timing," he added. "For example, the requirement for government procurement using the recently ratified Cyber Trust Mark doesn't take effect until 2027. A lot can change with cybersecurity in two years." A big chunk of the order addresses the need to better secure software supply chains and using the government's procurement power to ensure this happens. It references Biden's earlier cybersecurity directive, executive order 14028, signed in May 2021 during his first year in office. This led the development of secure software development practices, required software companies to demonstrate compliance with those practices, and then told federal agencies that they could only use software from providers that attest to using those best practices. Still, "in some instances, providers of software to the federal government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise," the EO says. To address these issues, the cybersecurity directive mandates that software companies which sell to the government must submit proof to CISA that they are following secure software development practices. It also requires the federal government to come up with a "coordinated set of practical and effective security practices to require when it procures software" - essentially minimum cybersecurity requirements. Plus, it directs the National Institute for Standards and Technology (NIST) to provide guidance on how to securely deploy patches and software updates, and directs several heads of government agencies including CISA to issue recommendations on patching open source software and best practices for contributing to open source projects. These federal procurement requirements are likely to see pushback from the software industry - and possibly a complete rollback from Trump, who is not a fan of regulations. "Obviously, the lobbyists are going to fight tooth and nail" to eliminate the extra steps software makers must take to prove their products are secure, Tom Kellermann, global fellow for cyber policy at the Wilson Center, told The Register. Still, he added, the presidential order is "missing something." "It should mandate that you have to be able to continuously monitor your code, your applications, for behavioral anomalies, i.e. zero-days," Kellermann said. "Like continuously monitoring, in real time, and runtime, in production. Not you scan it in development and you show me an attestation that you do that. The whole reason why the Chinese and Russians are getting in all the time is because of zero-days." Another major piece of the EO involves securing federal networks and systems following a series of intrusions by both Russia and China into government IT systems and devices. This section requires agencies to use phishing-resistant authentication standards such as WebAuthn. It directs the Department of Defense and Homeland Security to "establish procedures to immediately share threat information" while strengthening CISA's "capability to hunt for and identify threats across FCEB agencies." Both of these aim to speed up the government's hunting and identification of new threats before they move across government networks. The EO also says government agencies must enable transport encryption by default across email, instant messaging, and internet-based voice and video conferencing. But it stops short of mandating end-to-end encryption to protect secure communications and instead says agencies shall "where technically supported, use end-to-end encryption by default while maintaining logging and archival capabilities that allow agencies to fulfill records management and accountability requirements." True privacy and security demands end-to-end encryption. The President's EO misses the mark This, according to Virtru CEO John Ackerly, who worked in the George W Bush White House as a tech advisor, is another missed opportunity for the Biden administration. Ackerly pointed to the order's "multiple mentions" of transport layer security, or TLS. "While maybe unsurprising given the continued hedging from the outgoing administration and the FBI on this topic, the silence on end-to-end encryption is deafening," he told The Register. "TLS only protects data in transit - and it is only in transit for an instant." Following the Salt Typhoon attacks that compromised US telcos and allowed Beijing-backed spies to "record phone calls at will," the FBI and CISA advised people to use "responsible encryption." "In a world where bad actors are attacking the US on a daily basis, 'responsible encryption' and TLS is simply not enough," Ackerly said. "True privacy and security demands end-to-end encryption. This is not debatable. The President's EO misses the mark." AI gets its own section in the EO, titled "Promoting Security with and in Artificial Intelligence." The directive sets several AI-related deadlines and mandates a public-private collaboration and pilot program on using AI for cyber defense in the energy sector. It also mandates a new DOD program to deploy advanced models for cyber defense and prioritizes funding for research into AI-assisted cybersecurity. "While AI for cyber defense is a must, it introduces risks like algorithmic bias, adversarial attacks, data leakage, and over-reliance on technology without human oversight and proper regulation in place," cautioned Gabrielle Hempel, a customer solutions engineer at Exabeam. And then on the other side of AI security - securing the software and models themselves - the order requires the DOD, Homeland Security, and Directors of National Intelligence and Office of Management and Budget to incorporate the management of AI software vulnerabilities into their processes. It also calls for these agencies to do a better job coordinating "vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems." Hempel says the EO "looks strong on paper," but adds that many plans do. "How feasible is it to implement? With the way the federal government moves, there will be an entirely new attack landscape before it is implemented," she warned. For example, another section of the EO encourages the use of digital identity documents to access public benefit programs as a means to combat stolen and fake identities used by criminals in digital fraud schemes. "Digital identity frameworks are a great step as many other countries are already using and governing them," Hempel said. "However, I raise the same question as all other technology implementations the government has: how will we ensure data privacy and not open a vast amount of new attack vectors in implementing this?" While the EO mentions securing federal systems, "there is a stark lack of focus on securing critical infrastructure sectors and bridging the gap between public-private infrastructure," Hempel noted. "Federal security is only one piece of the puzzle, and, frankly, not where the greatest vulnerability lies." ®

A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More

Four days before he leaves office, US president Joe Biden has issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers. The 40-page executive order unveiled on Thursday is the Biden White House's final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems. The order "is designed to strengthen America's digital foundations and also put the new administration and the country on a path to continued success," Anne Neuberger, Biden's deputy national security adviser for cyber and emerging technology, told reporters on Wednesday. Looming over Biden's directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump's advisers may prefer different approaches (or timetables) to solving the problems that the order identifies. Trump hasn't named any of his top cyber officials, and Neuberger said the White House didn't discuss the order with his transition staff, "but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period." The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents -- namely, the security failures of federal contractors. The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden's first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House's Office of the National Cyber Director is "encouraged to refer attestations that fail validation to the Attorney General" for potential investigation and prosecution. The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology's secure software development guidance. Another part of the directive focuses on the protection of cloud platforms' authentication keys, the compromise of which opened the door for China's theft of government emails from Microsoft's servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days. To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.

Biden issues an 11th hour executive order aimed at strengthening U.S. cybersecurity

President Joe Biden speaks during a meeting about cybersecurity in the East Room of the White House on Aug. 25, 2021. On Thursday, Biden signed a sweeping new executive order on cybersecurity. Drew Angerer/Getty Images hide caption In President Biden's final week in office, he signed a sweeping executive order on cybersecurity incorporating lessons learned over the last four years. From his first days in the White House, Biden was confronted with disruptive digital attacks, from Russian spying on U.S. government agencies through third-party software to ransomware attacks hitting hospitals and Chinese hackers burrowing into critical infrastructure. Over time, the Biden administration found new ways to confront the spies and cybercriminals. They clawed back ill-gotten gains by targeting cryptocurrency wallets. They published detailed indictments zeroing in on individual hackers from across the globe. They shut down botnets and deleted malicious code off infected devices, to name a few examples. But hackers continue to steal large amounts of data and dollars, and the threat is far from over. With that in mind, the new executive order released Thursday follows up on a previous one issued in Biden's first year in office. It's focused on further securing federal agencies and contractors, and giving the federal government more power to sanction the hackers who target critical infrastructure. "The goal is to make it costlier and harder for China, Russia, Iran and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our businesses and our citizens," said Anne Neuberger, Biden's outgoing Deputy National Security Advisor for Cyber and Emerging Technology, during a call with journalists. On the defensive side, the U.S. government is using the power of the purse. Software vendors who sell to the government will have to prove they're using secure development practices to win and keep lucrative federal contracts. Standards for verifying compliance will be developed by the National Institute of Standards and Technology, or NIST. The executive order will also enforce cybersecurity standards for buying new space systems. There's also a focus on fighting identity theft. The U.S. government is pushing industry to develop secure, privacy-protecting digital identity solutions. There's an emphasis on vendors securely storing private cryptographic keys for identity management. Internally, the U.S. government will require agencies to adopt quantum-resistant algorithms to protect against theft and decryption by adversaries. And the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, or CISA, will be given more responsibility to hunt for known vulnerabilities across federal systems. They'll have more "centralized visibility," said Neuberger. The Biden White House is also launching a partnership with the private sector to develop tools to use artificial intelligence to better secure the energy sector, specifically by scanning for vulnerabilities and automatically suggesting potential patches. "It's a sector that's particularly targeted by countries and criminals," said Neuberger. Finally, the executive order will make it easier for the federal government to slap sanctions on ransomware groups who target critical infrastructure like schools and hospitals. Neuberger told reporters that the Biden team had not gone into specifics on the cybersecurity executive order with President-elect Donald Trump's transition team in advance, as he hasn't yet named his senior cybersecurity officials. She said they are open to those discussions once Trump's team is in place. Incoming Trump officials can cancel or replace Biden's executive actions at will. But the hope, Neuberger said, is that the aims of the executive order are broadly bipartisan. Industry and policy experts are praising the executive order and encouraging President-elect Trump to maintain and build on the Biden team's cybersecurity efforts. "Cybersecurity and defending our nation's critical infrastructure against threats has always been a nonpartisan issue," said Ilona Cohen, the chief legal and policy officer for cybersecurity company HackerOne. "We are particularly encouraged by the order's recognition of the potential for artificial intelligence to enhance cybersecurity and its focus on management of vulnerabilities involving AI systems and software," Cohen said. "We encourage the Trump administration to advance the order's provisions, particularly those aimed at staying ahead of China on security by using AI."

President Biden signs executive order to strengthen national cybersecurity in last days in office - SiliconANGLE

President Biden signs executive order to strengthen national cybersecurity in last days in office Outgoing U.S. President Joe Biden signed a cybersecurity-related executive order today that's aimed at strengthening national cybersecurity and making it easier to pursue foreign adversaries and hacking groups that try to undermine U.S. systems. The "Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity" covers a range of initiatives designed to address the evolving nature of cyberthreats and reinforce the country's defenses. The order calls for the establishment of minimum cybersecurity standards for government technology contractors to ensure that contractors demonstrate compliance with specific security benchmarks, reducing vulnerabilities in federal systems. The government aims to close gaps often exploited by threat actors in the supply chain by making sure that contractors are in compliance with minimum standards. To enhance national capabilities against foreign cyber adversaries, the order expands the scope of sanctions available under previous directives, including increased penalties targeting individuals and entities responsible for ransomware attacks on critical infrastructure, healthcare systems and other essential services. Quantum computing and artificial intelligence get a look-in in the executive order. Federal agencies are being directed to adopt new cryptographic standards that can withstand the computational power of quantum attacks to ensure the long-term resilience of sensitive data and communication systems. On the AI front, the order mandates the development of AI-powered tools to automate the detection and response to vulnerabilities across government networks. The order also requires that all vendors to the U.S. government of internet of things devices be compliant and labeled with a U.S. Cyber Trust Mark by Jan. 4, 2027. The Trust Mark, announced by the White House earlier this month, is a cybersecurity labeling program for internet-connected devices that aims to help consumers easily identify products that meet established cybersecurity standards. Finally, the order also allocates resources for workforce development in the cybersecurity sector, including funding for training programs and partnerships with educational institutions to create a pipeline of skilled professionals. The initiative aims to address the growing shortage of cybersecurity talent while promoting innovation in both the public and private sectors. Exactly how many of these policies introduced in the executive order will live past the inauguration of President-elect Trump on Monday are unclear, although there doesn't appear to be any obvious partisan politics in the orders; on the surface, they seem reasonable and that's a view shared by cybersecurity experts. "President Biden's final cybersecurity executive order takes a bold step in addressing the evolving threats our nation faces, particularly from adversarial states like China, Russia and North Korea," Andrew Borene, executive director of Global Security for cyber threat intelligence company Flashpoint and a former Office of the Director of National Intelligence senior official, told SiliconANGLE via email. "With its focus on secure software standards, emerging technologies, and critical infrastructure, the order demonstrates a clear understanding of the challenges at hand and the need for decisive action." Recognizing the issues with the timing, Lorri Janssen-Anessi, director of External Cyber Assessments at supply chain defense firm BlueVoyant LLC., noted that the "timing of the new order, coming at the tail end of an administration, raises legitimate concerns regarding the possibility of its implementation." "That being said, it's important to recognize that cybersecurity is largely viewed as a bipartisan issue," Janssen-Anessi added. "Protecting national infrastructure and data from cyber threats is a shared priority across political divides. Given the critical nature of the threats and the fact that cyber incidents do not respect political boundaries, it is likely that the incoming administration will recognize the value in continuing to support and implement many of the executive order's objectives." One interesting takeaway is that despite the last-minute on-the-way-out timing, the executive order was apparently known to be coming. "This final executive order has been somewhat of an open secret in Washington, with drafts being circulated to a limited audience for a few weeks now," Casey Ellis, founder of crowdsourced cybersecurity platform provider Bugcrowd Inc., told SiliconANGLE. "The Whitehouse and especially departments like the Office of the National Cyber Director, have built up a lot of technical expertise on the topics covered by this EO over a particularly transformational time in technology and many of those involved are political appointees or staffers who's tours are coming to a close." Ellis is not confident that the executive order will remain in place, though, adding that "despite the strong chance that the order will be promptly reversed with the administration change, this EO is a clear effort to ensure that the core cybersecurity, safety and International Relations equities conclusions developed over the past four years are a part of the U.S. policy zeitgeist."

Biden to sign executive order boosting digital identity protection

President Biden will sign an executive order on Thursday intended to boost the privacy of Americans amid continued cyberattacks against the U.S. "Adversary countries and criminals have increasingly targeted the U.S. government, corporations and individual Americans with cyberattacks that disrupt critical services, businesses and individual lives, costing billions of dollars as well as damages," a senior administration official told reporters on a call Wednesday previewing the order. The executive order lays out a series of initiatives to help the federal government defend against cyber attacks that threaten the privacy of Americans' digital identities. The National Security Council (NSC) acknowledged on Wednesday the U.S. "stands alone" among major economies when it comes to the country's digital identity infrastructure. Americans encounter about $56 billion in fraud each year, the NSC said. Part of the executive order will lower the bar for sanctions imposed by the U.S. government to punish cyber attackers. "The goal is to make it costlier and harder for China, Russia, Iran and ransomware criminals to hack and to also signal that America means business when it comes to protecting our nation, from our economy and employment to infrastructure and innovation," the administration official said, adding later, "It means more tools to publish them, to publicly name, sanction and penalize these individuals, whether they're working independently or for [a] foreign government." The order will also speed up the rollout of private-sector technology to increase government efficiency and reduce fraud. It promotes the use of "privacy-preserving digital identity documents" like mobile driver licenses and the launch of an early-warning fraud pilot that will notify Americans of potential fraud incidents involving their public benefits and payments, the NSC said. It also establishes new requirements for software providers for the U.S. government. It comes just weeks after the Treasury Department informed lawmakers Chinese state-sponsored actors hacked into the agency early last month and stole a key from a third-party software service provider. Building upon Biden's first cyber executive order, in which federal agencies were required to implement new practices to protect themselves from cyberattacks, Thursday's order will further this goal by advancing the use of modern technologies that are resistant to phishing in federal agencies. It will also promote the visibility of attack activity across government agencies for the Cybersecurity and Infrastructure Agency (CISA) to more efficiently do its job. "If we find one particular technique that a foreign government has used to hack one particular federal agency, this now tasks CISA and invites CISA centralized visibility to hunt across all agency systems to ensure we're defending against this attack broadly," the administration official said. In addition, the development and use of artificial intelligence (AI) will also be accelerated under the order, along with further research of AI-based cybersecurity tools and post-quantum technologies. The component echoes that of Biden's national security memorandum issued last October, which encouraged government agencies to seize on the most advanced AI systems to boost national security. The order additionally brings attention to the protection of space-based systems, pointing to the devastation from Russia's attack on Ukraine's military satellite communications system ahead of its invasion of Ukraine in 2022. Numerous foreign adversaries carried out hacking operations in the U.S. last year, further raising alarm about the country's ability to fend off such attacks. Among the attacks was the unprecedented "Salt Typhoon," operation, during which China-backed actors hacked into more than half a dozen telecom firms in the U.S. Among those targeted in the Salt Typhoon hacks were some involved in the government or political activities, officials said earlier this year. While officials have not revealed exactly how many were targeted, President-elect Trump and Vice President-elect Vance were among the phones reportedly targeted. The highly anticipated order comes at the tail-end of the Biden administration and follows two AI-related orders issued by the president earlier this week. It remains unclear whether Trump will choose to keep or repeal Thursday's order when he is sworn back into the Oval Office next week.

Biden to sign order to strengthen federal agencies' security, invest in new AI cyber defenses

Zoom in: The executive order kicks off the process of setting up a slew of new cybersecurity requirements for government contractors and agency security teams. Reality check: It's unclear if President-elect Trump will keep the executive order in place once he's sworn in Monday. The big picture: The executive order is a grab bag of projects that the administration had been working on based on its time fighting a large number of high-profile hacks, including SolarWinds and Colonial Pipeline. What we're watching: Cybersecurity remains a bipartisan issue, and it's possible some of these new requirements hold up.