Four days before leaving office, US President Joe Biden issued a sweeping cybersecurity directive that mandates improvements in the way the government monitors its networks, purchases software, uses artificial intelligence and punishes foreign hackers.
The 40-page executive order unveiled Thursday is the latest attempt by the Biden White House to boost efforts to harness the security benefits of AI, implement digital identities for American citizens and close loopholes that have helped China, Russia and other adversaries to repeatedly penetrate. United States Government Systems.
The order “is designed to strengthen America’s digital foundation and also put the new administration and the country on the path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for technologies, told reporters Wednesday. cyber and emerging.
Looming over Biden’s leadership is the question of whether President-elect Donald Trump will continue any of these initiatives after he is sworn in on Monday. None of the highly technical projects enacted in the order are partisan, but Trump’s advisers may prefer different approaches (or timelines) to solving the problems the order identifies.
Trump has not named any of his top cyber officials, and Neuberger said the White House did not discuss the order with his transition staff, “but we are very happy to have conversations as soon as the incoming cyber team is named.” during this last transition period.”
The core of the executive order is a series of mandates to protect government networks based on lessons learned from recent major incidents, namely security failures by federal contractors.
The order requires software vendors to provide evidence that they follow secure development practices, based on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security certifications and working with vendors to fix any issues. To reinforce the requirement, the White House Office of the National Cyber Director is “encouraged to refer certifications that have not been validated to the Attorney General” for possible investigation and prosecution.
The order gives the Commerce Department eight months to evaluate the cyber practices most commonly used in the business community and issue guidance based on them. Soon after, those practices would become mandatory for companies trying to do business with the government. The directive also initiates updates to the National Institute of Standards and Technology. secure software development guide.
Another part of the directive focuses on protecting the authentication keys of cloud platforms, the compromise of which opened the door to China’s theft of government emails from Microsoft servers and its recent hack of the chain of communication. supply from the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud providers within 60 days.
To protect federal agencies from attacks that rely on flaws in Internet of Things devices, the order sets a deadline of January 4, 2027 for agencies to purchase only consumer IoT devices carrying the newly released US Cyber Trust Mark Label.