Outgoing United States president Joe Biden has signed a cyber security executive order (EO) promising to build on the “foundational steps” taken earlier in his administration by ordering additional actions to improve the US' cyber security.
In one of his last official acts before the inauguration of president-elect Donald Trump Next week, Biden detailed actions intended to improve accountability for software and cloud service providers, strengthen the security of US government IT infrastructure, promote security modernize security best practice, promote innovation, and address malicious cyber threats to the US – and by extension her allies. – emanating from other jurisdictions.
“Significant malicious cyber-enabled activities … pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States,” said Biden, presenting the EO to Congress.
He wrote: “These campaigns disrupt the delivery of critical services across the nation, cost billions of dollars, and undermine Americans' security and privacy. More must be done to improve the nation's cyber security against these threats.”
Core provisions
Among some of the provisions of interest to the security industry are the imposition of new reporting requirements on software suppliers to the US government, including the introduction of secure software development attestations, to be overseen by the Cyber Security and Infrastructure Security Agency (CISA).
The order also requires federal government bodies to adopt industry best practice, especially in identity and access management (IAM) to improve threat visibility and strengthen cloud security, and to implement strong authentication and encryption across its infrastructure.
It also supports the modernization of said infrastructure and where it supports critical government work, and enforces the use of cyber best practice in areas such as zero-trust, endpoint detection and response (EDR), encryption, network segmentation, and phishing resistant multifactor authentication. (MFA), as well as around procurement and use of government contractors.
Elsewhere, it calls on the government to accelerate research at the intersection of artificial intelligence (AI) and security, and post-quantum encryption.
Finally, the EO sets out additional steps to combat cyber threats, providing that any property or interests in property in the US are blocked and may not be transferred or paid to any individuals determined by the US government to be complicit or to have engaged in malicious cyber activities.
Support
Illumio public sector chief technology officer Gary Barlet, who previously held US government CIO posts at multiple organizations, said: “Biden's executive order introduces several promising proposals that could significantly enhance the nation's cyber security posture, including stricter software requirements, guidance on leveraging artificial intelligence for cyber defenses, and the adoption of endpoint detection and response tools.
“It's encouraging to see a focus on addressing critical issues that align with the pressing need to counter nation-state threat actors, and I'm particularly encouraged by the emphasis on collaboration, which will be essential to the success of these measures.”
Overruled?
However, with Biden's time in the White House now measured in hours, Barlet said that the success of the EO would depend on policy priorities set forth by the incoming Republican administration.
“The next administration has an opportunity to bring renewed focus and energy to government technology. By building on the existing foundations and progress, we could see meaningful progress in federal cyber security posture and collaboration efforts that lead to impactful results,” he said.
Echoing his actions in the wake of his 2016 victory, Trump is expected to sign a pile of new EOs after taking office on 20 January, many of them likely to focus on issues such as immigration that activated his voter base in November.
Whether or not Trump will take any immediate action on cyber security remains to be seen, and speaking to journalists before Biden signed the orderAnne Neuberger, deputy national security advisor for cyber and emerging technology, said Biden's team had not discussed the content of the EO with Trump's transition team in advance, but that they were open to such discussions once Trump's team is in place.
According to reportsTrump is close to picking cyber veteran Sean Plankey to run CISA, replacing the outgoing Jen Easterly.
Plankey, who currently works with post-quantum encryption firm Indigo Vault, among other things, served in security roles at the Department of Energy (DoE) and was director for cyber policy on the National Security Council during Trump's first term. He has also worked in security roles in America's armed forces, including naval intelligence and the Coast Guard.
Neuberger said she hoped that the broad brush aims of the EO were bipartisan enough that they should be taken forward by the next president.