In a last-minute move by the Biden administration, a new cybersecurity executive order was issued which could serve as a blueprint for future policy under the incoming Trump administration. Despite its broad scope and ambitious goals, there are concerns about whether this executive order is coming too late in the game to have a significant impact.
The executive order, issued on Thursday, addresses a wide array of cybersecurity issues, including updates to previous directives on software supply chain security and cybercrime sanctions. Key aspects of the order include enhanced protection for IP address numbers and user identities in federal digital systems, as well as the implementation of pilot programs in areas such as AI cyber defense for critical infrastructure systems. However, with less than a week left in the Biden administration, the timing of this order has left many cybersecurity experts puzzled and wary of its potential long-term impact.
Brian Fox, co-founder and CTO of Sonatype, a software supply chain security management company, expressed skepticism about the timing of the executive order. He noted that the scope of the order suggests it reflects the priorities the Biden administration would have pursued if they had remained in office. Despite uncertainties about whether the Trump administration will fully implement this order, there is a sense that it sets a course for cybersecurity policy within the Executive Branch that may not be easily reversed.
Joshua Corman, who leads the UnDisruptable27 project focused on cybersecurity threats, emphasized the bipartisan nature of cybersecurity issues but highlighted the varying priorities of different administrations. While there may be some continuity in certain aspects of cyber defense policies between the Trump and Biden administrations, there are likely to be differences, particularly in how commercial industry is treated.
Chris Hughes, chief security adviser at Endor Labs, echoed Corman’s sentiments, pointing out the shared priorities between the two administrations in areas such as zero trust, software supply chain security, and defending the defense industrial base. However, Hughes also noted potential differences in how critical infrastructure and nation-state threats, like those posed by China, are addressed.
The executive order also addresses the issue of cybercriminal sanctions, particularly in response to ransomware attacks. Jon DiMaggio, chief security strategist at Analyst1, highlighted the order’s focus on providing federal agencies with the authority to sanction entities involved in compromising critical infrastructure, engaging in ransomware attacks, or tampering with elections. While the order aims to crack down on cybercrime, there are questions about its effectiveness and specificity in targeting criminal activities.
Another key aspect of the executive order is the emphasis on AI cyber defense for critical infrastructure. In response to recent nation-state attacks on sectors like water utilities, the order calls for the development of AI tools to enhance cyber defense capabilities. While this represents a step in the right direction, there is a need for more detailed guidance on AI security to ensure the effectiveness and reliability of these tools.
Overall, the new cybersecurity executive order from the Biden administration sets the stage for potential policy directions in the incoming Trump administration. While the order addresses critical cybersecurity issues and lays out ambitious goals, its impact remains uncertain due to its late issuance and the upcoming presidential transition. Whether this order will ultimately shape the cybersecurity landscape in the years to come will depend on how it is implemented and followed by the new administration.