Just days before leaving office, U.S. President Joe Biden issued an extensive executive order on cybersecurity, requiring over 50 separate agency actions with deadlines stretching in length from 30 days to three years. While much of the measure is directed inward, at improving the security of the federal government's own information and communications systems, the order also seeks to improve the broader ecosystem by raising standards for commercial products and services the government procures.
Little, if anything, in the order is revolutionary. Instead, it aims to build on existing initiatives and drive progress on multiple fronts, including software security, cloud computing, digital identity, artificial intelligence and quantum computing.
On software security, developers selling to the federal government are already required under a process launched by the Biden-Harris administration's first cybersecurity order in 2021 to attest that they follow certain secure software development practices. The new order goes a step further, requiring agencies to modify the federal acquisition regulation to require vendors to submit evidence that they are following those practices. Further, it requires the Cybersecurity and Infrastructure Security Agency to validate the contractors' claims. And it directs the National Institute of Standards and Technology to do one more revision of its secure software development framework.
With respect to cloud computing, the order requires agencies to ensure their cloud service providers use hardware security modules, trusted execution environments or other isolation technologies to protect access tokens and cryptographic keys. This seems a direct response to the 2023 incident in which Chinese hackers obtained a Microsoft key that allowed them to compromise the cloud-based emails of senior U.S. officials.
On digital identity, the order takes a modest step, encouraging but not requiring agencies to use digital identity documents to access public benefits programs that require identity verification. The U.S. is unique among major economies in lacking a secure digital identity infrastructure for interactions with the federal government. The last major effort to develop an identity system for online engagement with the federal government was launched by the Obama administration in 2011. Despite that effort's careful attention to privacy, it still faced concerns about government overreach. Finding little private sector support, it went nowhere.
The new order doesn't commit the federal government to develop digital identities and doesn't say where an interoperable digital ID suitable for government uses might come from, although it does tell federal agencies to consider grants to assist states in developing and issuing mobile driver's licenses. The order also includes a curiously detailed riff on use of "Yes/No" validation services, also referred to as attribute validation services, which it says can enable more privacy-preserving means to reduce identity fraud.
Improvements in quantum computing are expected sometime in the not-too-distant future to render inadequate public-key cryptosystems currently used on government and commercial systems around the world. To prepare and to protect government communications from being recorded by adversaries for decryption after a quantum breakthrough occurs, the order requires agencies to enable quantum-resistant key establishment within their existing networks as soon as available. It also requires agencies to purchase quantum-proof products once they become widely available to both protect the U.S. government and help grow the global market of post quantum technologies.
The order changes the threshold for imposing sanctions for malicious cyberactivity. The current threshold requires a clear nexus to a nation-state, and the government often has problems meeting that threshold for purely criminal activity. The change will allow the imposition of sanctions for things like criminal ransomware.
It expands the capability of CISA to hunt for threat actors across the federal civilian agencies by requiring agencies to give CISA access to data from their endpoint detection and response tools. Apparently, agencies strongly resisted this, fearing CISA would obtain access to sensitive information. In response, the order requires CISA to coordinate with federal chief information officers and chief information security officers to "develop and release a concept of operations that enables CISA to gain timely access to required data."
The order addresses the cybersecurity of U.S. space systems, requiring agencies to "take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation." It sets in motion a process to develop contract language for federal space systems to address cybersecurity.
Another provision would require federal agencies, by 4 Jan. 2027, to purchase only those consumer Internet-of-Things products that have been given the Cyber Trust Mark, to be issued under an otherwise voluntary program overseen by the Federal Communications Commission. The program allows companies to obtain a label from third-party testers certifying their products are built to specific standards that the FCC will adopt based on the NIST's IoT baseline.
AI offers potentially powerful tools to defenders while also possibly supercharging attacks. At the same time, it represents a new supply chain threat, given the fragility of some AI models. To promote security "with and in" AI, the new order calls for establishment of programs at the Pentagon and in the energy sector to use AI for cyberdefense efforts and encourages research to improve the security of AI models.
The measure orders the Commerce Department to evaluate common cybersecurity practices across all sectors, then issue guidance on minimum practices. It's not clear how this relates to the cross-sector cybersecurity performance goals already developed by CISA.
Other provisions address encryption of federal email — is it not already encrypted? — and federal voice, video and text communications; use of phishing resistant multifactor authentication within the government; and improvements in the way the government's internet service providers implement the border gateway protocol, the language spoken by routers on the internet to send packets to their final destination.
The fate of the order under President Donald Trump is uncertain. Most, if not all, of its provisions are incremental and address widely acknowledged weaknesses in federal information technology systems. One view is that the incoming administration should welcome the tying off of so many issues, leaving it free to start on the next generation of initiatives. But the impact of an executive order is all in the implementation. While there may be nothing so objectionable as to prompt a revocation, agencies may choose, or may receive signals from the White House, to ignore or slow-walk elements of the order. Keeping score from the outside will be difficult.
Jim Dempsey is the managing director for the IAPP Cybersecurity Law Center.
