A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More

Four days before he leaves office, US president Joe Biden has issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers.

The 40-page executive order unveiled on Thursday is the Biden White House’s final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems.

The order “is designed to strengthen America’s digital foundations and also put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters on Wednesday.

Looming over Biden’s directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems that the order identifies.

Trump hasn’t named any of his top cyber officials, and Neuberger said the White House didn’t discuss the order with his transition staff, “but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period.”

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.

The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.

Another part of the directive focuses on the protection of cloud platforms’ authentication keys, the compromise of which opened the door for China’s theft of government emails from Microsoft’s servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days.

To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.

Another part of the order boosts CISA’s ability to watch for cyberattacks across the government by tapping into the security software that other agencies operate. It’s an attempt to reduce visibility gaps that adversaries have successfully exploited in many intrusions, especially the 2020 SolarWinds hack. The order requires agencies to give CISA direct access to their security platforms and to allow CISA to conduct unannounced threat-hunting activities on their networks.

“If we find one particular technique that a foreign government is using to hack one particular federal agency,” Neuberger said, “this now … gives CISA centralized visibility to hunt across all agency systems to ensure we’re defending against this attack broadly.”

The security risks and opportunities of AI play a major role in the executive order. The document directs the departments of Energy and Homeland Security to launch a pilot program to use AI to help protect energy infrastructure, with the goal of automating things like vulnerability detection and patching. The Defense Department would have to launch a program to use “advanced AI models” for cyber defense.

Biden also wants DHS, Commerce, and the National Science Foundation to prioritize research on topics like how humans and AI tools can coordinate to analyze cyber threat data, how to ensure the security of AI-generated code, how to design secure AI models, and how to prevent and recover from cyber incidents involving AI systems.

Biden’s order attempts to expedite agencies’ use of digital identity documents to streamline citizen services and reduce waste and fraud. The directive asks agencies to “consider accepting digital identity documents” as proof of eligibility for public benefits. Commerce would have 270 days to issue guidance to help agencies do so.

Other provisions in the executive order require government recommendations for securing open-source software; updates to cyber requirements in contracts for space systems; contracting changes to ensure that new technology supports post-quantum cryptography; and the use of encryption in DNS technologies, email systems, and voice and video conferencing platforms. There is also a provision requiring OMB to help agencies reduce risks associated with concentration in the IT market—a not-so-veiled shot at Microsoft.

The order also lowers the bar for the government to be able to sanction people who launch cyberattacks on US critical infrastructure, potentially easing barriers to deploying one of Washington’s favorite responses to major hacks.