Outgoing President Joe Biden made one of his final moves in office by issuing an executive order focused on enhancing U.S. government cybersecurity. The order, released on Thursday, encompasses a comprehensive plan to bolster cybersecurity measures across various sectors, with a particular emphasis on demanding stronger security protocols from software and cloud companies.
The genesis of this cybersecurity order can be traced back to the aftermath of the Colonial Pipeline ransomware attack, nearly four years ago. As the Biden Administration prepares to transition out, top cybersecurity officials such as Jen Easterly and David Mussington from the Cybersecurity and Infrastructure Security Agency (CISA), along with U.S. cyberspace ambassador Nathaniel Fick, have been actively advocating for continued efforts in combating cyber threats and disinformation campaigns originating from countries like Russia and China. Mussington has also highlighted the necessity of addressing climate change as a significant factor influencing critical infrastructure resilience.
In the days leading up to the end of his term, President Biden orchestrated several additional initiatives aimed at fortifying cybersecurity measures. The United States convened an unofficial UN Security Council meeting to address the proliferation of spyware, while Biden himself criticized the influence of the “tech industrial complex” on disseminating disinformation and widening wealth inequalities in his farewell address on January 15.
The imminent transition to the new administration led by President Trump leaves the future strategy on cybersecurity and related issues uncertain. Nevertheless, the significance of the cybersecurity executive order lies in the lessons learned by the Biden Administration during its tumultuous tenure marked by numerous cybersecurity challenges.
The executive order unveiled by President Biden encompasses a sweeping set of objectives, with an ambitious timeline for implementation, with many directives slated for execution within a year. Among the key directives outlined in the order, federal agencies would collaborate with entities like the National Institute of Standards and Technology (NIST), CISA, the Office of Management and Budget (OMB), and the Federal Acquisition Regulatory Council (FAR Council) to mandate contract requirements for software providers to validate secure software development practices.
Furthermore, an evaluation of open-source software, along with the establishment of best practices for contributing to open-source projects, is in the pipeline. Federal government contractors would be mandated to adhere to cybersecurity practices outlined by NIST while developing or supporting IT services for the government. Additionally, stringent security policies and practices would be devised for cloud service providers in the Federal Risk and Authorization Management Program (FedRAMP) Marketplace to safeguard federal data based on agency-specific requirements.
The cybersecurity order put forth by President Biden also underscores the importance of adopting proven security measures from the industry, particularly in identity and access management, to enhance threat visibility and reinforce cloud security. Initiatives involving pilot tests for anti-phishing standards like WebAuthn and the integration of post-quantum cryptography for key establishment are among the priorities set for federal agencies.
The order further envisions the promotion of digital identities for accessing public benefit programs with a focus on data privacy and interoperability. Additionally, the integration of AI technology for cybersecurity defense and the prioritization of research in AI-cybersecurity domains are emphasized to expedite response and mitigation of cyber threats.
Long-term objectives outlined in the order include the adoption of secure zero-trust architectures, advanced endpoint detection, encryption, network segmentation, and phishing-resistant authentication across federal information systems. The directive also mandates agencies to assess risks arising from vendor concentration in IT services, while the order extends to federal civilian agencies and National Security Systems (NSS) to align with the prescribed requirements.
As President Biden’s term draws to a close, the cybersecurity executive order stands as a testament to the administration’s commitment to fortifying the nation’s cybersecurity infrastructure and readiness for future challenges. Although the road ahead remains uncertain with the transition to a new administration, the groundwork laid by this order sets a formidable foundation for advancing cybersecurity measures and safeguarding critical systems against evolving threats.