After nearly four years of heavy activity on US cyber defense, the Biden administration has wrapped up its term with one more sprawling cybersecurity executive order that beefs up federal agencies.
The order could very well be repealed by the incoming Trump administration, but if it stands it would create new requirements for security by design in the software that federal agencies use and also speed the uptake of quantum-resistant algorithms. The order also expands CISA’s access to federal endpoints and data for security purposes, introduces new mandatory AI and phishing defenses for agencies, and would force them to be more cautious in how they handle open source software.
Cybersecurity executive order spurs broad range of federal agency improvements
Most of the cybersecurity executive order is focused on federal agencies and their contractors, particularly those providing cloud services via FedRAMP Authorization. But two other groups could see changes if the terms stand: state governments, and private companies in the critical infrastructure sector. Unsurprising as both have been heavily targeted by hackers in recent years, but the order’s provision for the states focuses on advancing digital identity verification and the concept of a mobile driver’s license for delivering government benefits and services.
Critical infrastructure companies are being invited to a long-term program meant to determine how AI can best be used to defend these sectors from foreign disruption, with the order calling for new defense models to be in action by late this year.
In terms of direct action at federal agencies, the Secretary of the Treasury would have expanded power to sanction foreign entities that deploy ransomware or extract money from the country. The cybersecurity executive order also hastens the adoption of “quantum era” algorithms by these agencies, and stresses the adoption of both anti-phishing technologies (like WebAuthn) and AI monitoring tools. There is also a call to expand CISA’s power to essentially roam through other agencies and conduct proactive defense, mandating increased provision of real-time telemetry data and endpoint access for the purpose of threat hunting.
Security by design a central focus of cybersecurity executive order
But by far the biggest single item addressed by the cybersecurity executive order is security by design for the federal government’s software suppliers. A variety of incidents taking place during the Biden term have likely prompted this, but specifically the rash of attacks by Chinese hackers such as the Salt Typhoon and Volt Typhoon groups. Software providers may be looking at having to pass an attestation process to verify that their products meet new secure-by-design standards, a process now set to unfold under the watch of the Federal Acquisition Regulatory Council (FAR Council) over the next several months.
New NIST guidance for deployment of patches and updates can also be expected if the cybersecurity executive order stands up, along with an update to the Secure Software Development Framework (SSDF). Federal agencies can additionally expect new recommendations on the handling of open source software within the next few months.
The software supply chain is certainly among the elements of national defense most in need of work, and organizations should prepare for Biden’s cybersecurity executive order to hold up under the Trump administration as it addresses issues that are almost entirely bipartisan and have a great deal of consensus.