Four days before leaving office, US president Joe Biden issued a major cybersecurity directive that calls for improvements in how the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers.
The 40-page executive order unveiled on Thursday is the latest effort by the Biden White House to launch efforts to harness the security benefits of AI, distribute digital identities to US citizens, and close loopholes that have helped China, Russia, and other adversaries make repeated inroads. US government programs.
The order is “designed to strengthen America’s digital foundations and put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technologies, told reporters on Wednesday.
Looming over Biden’s order is the question of whether president-elect Donald Trump will continue any of these plans after he takes the oath of office on Monday. There are no high-tech projects decided in the partial order, but Trump’s advisers may choose different methods (or timetables) to solve the problems identified by the order.
Trump did not name any of his top cyber officials, and Neuberger said the White House did not discuss the order with his transition staff, “but we’re very happy that, as soon as the incoming cyber team was called in, they had discussions. During this time of final change.”
The core of the executive order is a series of directives to protect government networks based on lessons learned from recent major incidents—namely, government contractor security failures.
The order requires software vendors to provide evidence that they follow secure development practices, building on a mandate that began in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency will be tasked with double-checking these security guarantees and working with vendors to fix any issues. To put teeth behind the demand, the White House Office of the National Cyber Director is “encouraged to refer evidence that fails to be verified to the Attorney General” for investigation and prosecution.
The order gives the Department of Commerce eight months to assess Internet practices widely used by the business community and issue guidelines based on them. Soon after, those procedures will become mandatory for companies that want to do business with the government. The order also implements updates to the National Institute of Standards and Technology’s secure software development guidelines.
Another part of the order focuses on the protection of cloud platform authentication keys, a compromise that opened the Chinese door to the theft of government emails from Microsoft servers and its recent hack of the Treasury Department’s supply chain. The Commerce and General Services Administration has 270 days to develop key security guidelines, which will be required of cloud vendors within 60 days.
To protect government agencies from attacks that rely on vulnerabilities in Internet of Things gadgets, the order sets a deadline of January 4, 2027, for agencies to purchase only consumer IoT devices that carry the newly introduced US Cyber Trust Mark label.