Biden White House goes all out in final, sweeping cybersecurity order – Source: www.csoonline.com

The Biden administration’s last cybersecurity action is a comprehensive and ambitious 50-page executive order (EO) entitled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” which aims “to improve our nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People’s Republic of China.”

The order, issued on January 16, also calls for “improving accountability for software and cloud service providers, strengthening the security of federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector are especially critical to improvement of the nation’s cybersecurity.”

Capstone to four years of cyber policy lessons

The EO is a fitting end to a string of decisive executive actions by the administration, starting with a May 2021 executive order spurred by the shocking ransomware attack on Colonial Pipeline. It is also a helpful step forward for the incoming Trump administration as it grapples with the spiraling cyber threats from nation-state adversaries, particularly China and cybercriminal groups.

“The administration is thinking of this executive order as kind of a capstone to the lessons they’ve learned over the last four years of trying to get things done and advance cybersecurity policy,” Michael Daniel, president and CEO of the Cyber Threat Alliance, tells CSO.

“It draws on the experiences over the last few years and tries to lay a policy foundation that would say to the next administration, alright, you don’t have to worry about this stuff because we’ve set the policy in place, and now you can pursue your policies.”

The final executive order looks to build on the first by putting additional requirements in place for agencies to try and get ahead of recent attacks and deliver a response to them before the administration comes to an end, Jeremy A. Grant, managing director of technology business strategy at law firm Venable, tells CSO.

“[White House cybersecurity advisor] Anne Neuberger has said she views this as repaying the favor that the Trump administration paid the Biden administration when they released an EO on January 19 four years ago dealing with some of the concerns around foreign adversaries spoofing who they were to buy, say, cloud services to launch ransomware or botnet attacks,” Grant says. “Her take is that we want to ensure they get off on the right foot. And so, we’re putting these things in place to do so.”

Stronger digital identities are chief among the protections

The order features nine sections mandating 52 agency actions across the federal government over the next several years, from bolstering software security supply chains to combatting cybercrime and fraud through digital identity documents to launching pilot programs to improve cybersecurity through artificial intelligence.

Experts, however, suggest that perhaps one of the most critical components of the EO is the section requiring the adoption of digital identities to fight cybercrime and fraud. This section of the EO reflects an earlier promised, separate executive order on identity theft teased by Biden in his 2022 State of the Union address that ultimately failed to materialize.

To combat the rapidly rising tide of identity-based cyber threats, the EO strongly encourages “the use of digital identity documents to access public benefits programs that require identity verification, so long as it is done in a manner that supports the principles of privacy, accessibility, data minimization, and interoperability.”

It also directs the National Institute of Standards and Technology (NIST) to create guidance regarding standards and best practices for states and the parties that might trust these digital identity documents.

It further asks OMB and the National Security Council staff to determine whether federal grant funding is available to assist states in developing and issuing mobile driver’s licenses that achieve better means of verifying digital identities and tells agencies to consider accepting digital identity documents as digital identity verification evidence to access public benefits programs.

Daniel says, “If you look at our ecosystem and you examine what is one of the biggest weaknesses we have in the sort of digital ecosystem, it’s that our digital IDs in the United States are terrible, especially when you compare the digital identities that are available to someone in Estonia or countries like that.”

He adds, “We’ve been dealing with this problem for a long time. It is not surprising to me that this administration would say, ‘Look, this is one of our big weaknesses, and there are some things that we could do mostly at the state level.’”

Other top components of the EO

The EO also builds on what the administration calls the “foundational” steps in the first executive order issued in 2021. The following summaries highlight the most noteworthy of these additional actions mandated in the order:

Improving third-party software supply chains

The order stresses that the federal government must adopt more rigorous third-party risk management practices and greater assurance that software providers support critical government services. It stipulates, among other things, that the Federal Acquisition Regulatory Council (FAR Council) must require software providers to submit software development attestations of sufficient secure software development practices.

Use of phishing-resistant authentication options across federal agencies and other cybersecurity improvements

The order requires federal agencies to begin using, as appropriate, commercial phishing-resistant standards such as WebAuthn in pilot deployments or larger deployments to prioritize phishing-resistant authentication options. To maintain the ability of the federal government to identify cyber threats, agencies must immediately share threat information to strengthen the collective defense of military and civilian networks.

Securing federal systems through better internet traffic protection

The EO requires federal agencies to protect against adversarial nations and criminals by ensuring that routing information originated and propagated across the internet using the border gateway protocol (BGP) is protected against attack and misconfiguration. This assurance would also be required from contracted providers of internet services to agencies who must prove they have adopted and deployed internet routing security technologies.

Accelerate security through artificial intelligence

The EO states that the federal government must “accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.”

It requires that following the AI Cyber Challenge at the DEF CON 2025 cybersecurity conference, the Defense and Energy Departments, along with the Defense Advanced Research Projects Agency and the Department of Homeland Security, should conduct a pilot program to determine how AI can enhance the cyber defense of critical infrastructure in the energy sector. It also requires the Pentagon to establish a program to use advanced AI models for cyber defense.

Will the Trump administration uphold the order?

It’s unclear how much of Biden’s last-minute executive order will be embraced by the Trump administration, which takes power on inauguration day, January 20.”You could see on January 20, after taking the oath of office, [Trump] could go to the Oval Office and sign a new executive order that repeals this, or he could, with his new cyber policy team, whoever the leaders are going to be, decide to review this and perhaps partially revoke some things,” Grant says. “Or they might review this and say, this is actually helpful to us.”

The chief factor determining how much of the EO is accepted or rejected by the Trump administration is who will ultimately be named to fulfill the top cybersecurity policy positions at the White House, at the Cybersecurity and Infrastructure Security Agency (CISA), and elsewhere in the federal government.

“They haven’t come out and named the people,” Daniel says. “If they bring in a lot of the people whose names have been floating around in the press, then I would think they probably won’t roll back a lot of it.”

According to Daniel, “most of those people would look at it and say, ‘Okay, we may not be excited about it, but why roll it back? Because most of what it tries to do is pretty nonpartisan or bipartisan. And if you roll it back, then you’re leaving yourself open to, ‘so why did you get rid of it?”‘

This story has been updated to indicate that the executive order has been released. The story was originally published based on a draft executive order obtained by CSO. There were no changes in the final order.