
President Joe Biden signed a broad executive order on cybersecurity aimed at containing malicious cyber-enabled threats, such as attacks against critical infrastructure, ransomware, other intrusions, and sanction evasion. The document expands the criteria to designate individuals and entities for sanctions.
The document focuses heavily on threats posed by ‘adversarial countries and criminals.’ China is mentioned as ‘the most active and persistent cyber threat’ to the US government, private sector, and critical infrastructure.
“The goal is to make it costlier and harder for China, Russia, Iran, and ransomware criminals to hack, and also to signal that America means business when it comes to protecting our businesses and our citizens,” NPR cites Anne Neuberger, Biden's outgoing Deputy National Security Advisor for Cyber and Emerging Technology.
The order expands the criteria that the Treasury Secretary can use to place sanctions and block the properties and interests of individuals and entities engaged in a wide range of malicious cyber activities targeting the US.
What’s in the document?
The separate sections of the executive order cover the following areas:
- Third-party supply chains – The document states that insecure software remains a challenge and introduces new requirements for vendors working with the federal government. Those include attestations, updates to secure software development guidelines, and requirements for agencies to better manage risks in supply chains, including the use of open-source software.
- Federal cybersecurity systems – Agencies will have to implement phishing-resistant authentication standards. The order gives CISA expanded access and powers to hunt for threat actors across networks. New requirements for space systems, including satellites and ground systems.
- Federal communications – Federal agencies must implement stronger identity authentication encryption across email, DNS traffic, Internet routing, and modern communications, such as voice and video conferencing. These agencies will also have to transition to post-quantum cryptography.
- Combating cybercrime and fraud – The document pushes for wider acceptance of digital identity documents and mobile driver’s licenses. Digital verification has to be interoperable, prevent surveillance and tracking, and support privacy and data minimization by often using “yes/no” validation (such as whether an individual is older than a specific age). A new pilot program is planned that alerts people when their identity is being used to request benefits payments, letting them stop potential transactions before they occur.
- Artificial intelligence (AI) – The government plans to integrate advanced AI models into cyber defense and directs federal agencies to prioritize research on AI cybersecurity topics like human-AI interaction and the security of AI-generated code.
The executive order requires federal agencies to modernize their infrastructure within 3 years and urges moving to zero-trust architectures.
Vendors will have to follow minimum cybersecurity practices. By 2027, IoT (Internet of Things) products sold to the government will have to carry a new US Cyber Trust Mark label, which was originally supposed to help users evaluate IoT devices.
CNBC notes that it’s not clear if President-elect Donald Trump’s administration will uphold the executive order.
Doubts surround the ambition
Many cybersecurity experts, while welcoming the efforts to strengthen cybersecurity, remain in doubt that the broad approach will work
“Executive orders are interesting. They recognize that there is a gap in strategy and try to fill that gap by mandates as opposed to executing against a good cyber strategy,” Kevin Kirkwood, CISO at Exabeam, said. “The current focus of cybersecurity is a ‘one-size-fits-all’ approach that will continue to create the gaps that US opponents have been able to slip through.”
Gabrielle Hempel, Customer Solutions Engineer at Exabeam, said that the executive order ‘looks strong on paper, as do many plans,’ but doubted it is feasible to implement.
“Requiring vendors to attest to secure development practices is a good step in supply chain vulnerability management, but how will CISA verify compliance effectively? Many smaller vendors also likely don’t have the resources to address this. Not sure this effort will scale,” Hempel said.
There’s also a ‘stark lack’ of focus on securing critical infrastructure sectors and bridging the gap between public and private infrastructure. Another risk is opening a vast amount of new attack vectors by implementing new policies.
“While AI for cyber defense is a must, it introduces risks like algorithmic bias, adversarial attacks, data leakage, and over-reliance on technology without human oversight and proper regulation in place,” Hempel added.
Steve Cobb, CISO at SecurityScorecard, explains that the Biden Administration builds upon the CISA-promoted ‘Secure By Design’ initiative. However, verifying third-party vendors is only part of the job.
“There is no mention of the critical importance of continuous monitoring. Any positive motion toward holding vendors accountable must include continuous monitoring of their security posture,” Cobb noted.
Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4, noticed that the document only mentions software security and doesn’t cover firmware.
Your email address will not be published. Required fields are markedmarked