Four days before he leaves office, US President Joe Biden issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence and punishes foreign hackers.
The 40-page executive order unveiled Thursday is the latest effort by the Biden White House to launch efforts to harness the security benefits of artificial intelligence, introduce digital identities for U.S. citizens and plug loopholes that have helped China, Russia and other adversaries multiple times penetrate US government systems.
The order “is designed to strengthen America’s digital foundation and also put the new administration and the country on a path of continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters Wednesday.
Hanging over Biden’s directive is whether President-elect Donald Trump will continue any of these initiatives after he is sworn in on Monday. None of the highly technical projects outlined in the order are partisan, but Trump’s advisers may prefer different approaches (or schedules) to solving the problems the order identifies.
Trump has not named any of his top cyber officials, and Neuberger said the White House has not discussed the order with his transition staff, “but we are very happy that once the incoming cyber team is named, we will have any discussions during this final transition period .”
At the core of the executive order is a series of mandates to protect government networks based on lessons learned from recent major incidents—namely, security breaches by federal contractors.
The order requires software vendors to provide proof that they are following secure development practices, building on them the tenure that debuted 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be in charge of double-checking these security certificates and working with vendors to resolve issues. To put teeth behind the request, the White House Office of the National Cyber Director is “encouraged to refer certificates that fail verification to the Attorney General” for possible investigation and prosecution.
The order gives the Commerce Department eight months to evaluate the cyber practices most commonly used in the business community and issue guidance based on them. Soon after, these practices would become mandatory for companies wishing to do business with the government. The directive also triggers updates from the National Institute of Standards and Technology guidelines for developing secure software.
The second part of the directive focuses on the protection of authentication keys of cloud platforms, the compromise of which opened the door to the Chinese stealing government emails from Microsoft servers and his recent hacking the Ministry of Finance’s supply chain. Commerce and the General Services Administration have 270 days to develop key protection guidelines, which would then have to become requirements for cloud vendors within 60 days.
To protect federal agencies from attacks that rely on flaws in IoT gadgets, the order sets a Jan. 4, 2027, deadline for agencies to buy only consumer IoT devices that carry the newly launched US Cyber Trust Mark.