In one of his final acts in office, outgoing President Joe Biden on Thursday issued an ambitious order outlining plans to improve U.S. government cybersecurity – including demanding better security from software and cloud companies.
The lengthy Biden cybersecurity order builds on plans that began nearly four years ago in the wake of the Colonial Pipeline ransomware attack. It comes during a week when his top cybersecurity officials – including CISA officials Jen Easterly and David Mussington and U.S. cyberspace ambassador Nathaniel Fick – have been urging the incoming Trump Administration to continue the fight against cyber threats and disinformation from Russia, China and others. Mussington also cited climate change as a threat to critical infrastructure resilience.
In other last-minute moves by the Biden Administration, the U.S. held an informal UN Security Council meeting on efforts to stop the spread of spyware, and Biden himself took aim at the “tech industrial complex” and its effect on disinformation and “extreme wealth” in his farewell address on January 15.
The incoming Trump Administration’s approach to cybersecurity and other issues remains to be seen, but the Biden executive order is noteworthy for the lessons his Administration learned in four tumultuous years for cybersecurity.
Biden Cybersecurity Order Includes Software, Cloud Security
Biden’s final cybersecurity plan lays out ambitious goals – and an equally ambitious timeline, as many of the directives would be implemented within a year.
NIST, CISA, the OMB, and the Federal Acquisition Regulatory Council (FAR Council) would develop contract language requiring software providers to attest and validate that they use secure software development practices.
Open source software will also be examined, with CISA, the OMB and the GSA developing “recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects.”
Federal government contractors would be required to “follow applicable minimum cybersecurity practices identified” by NIST “when developing, maintaining, or supporting IT services or products that are provided to the Federal Government.”
FedRAMP policies and practices would be developed for cloud service providers in the FedRAMP Marketplace to create “baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.”
IAM, Post-Quantum Encryption Among Biden’s Goals
Biden’s order instructs the federal government to “adopt proven security practices from industry — to include in identity and access management — in order to improve visibility of security threats across networks and strengthen cloud security.”
Pilot tests for commercial phishing-resistant standards such as WebAuthn are among the requirements for federal agencies, along with post-quantum cryptography (PQC) key establishment (or a hybrid that includes a PQC algorithm) “as soon as practicable upon support being provided by network security products and services already deployed in their network architectures.”
Secure management of access tokens and cryptographic keys used by cloud service providers are another requirement.
CISA will also lead development of “the technical capability to gain timely access to required data” from agencies’ EDR solutions and security operation centers to enable rapid threat hunting.
BGP security shortcomings would be addressed with requirements for ISPs to deploy Internet routing security technologies such as Route Origin Authorizations, Route Origin Validation, route leak mitigation and source address validation.
Encryption would be required for DNS traffic, email, video conferencing and instant messaging.
Digital Identities ‘Encouraged’ by Biden Order
The order also would “strongly encourage the acceptance of digital identity documents to access public benefits programs that require identity verification, so long as it is done in a manner that preserves broad program access for vulnerable populations and supports the principles of privacy, data minimization, and interoperability.”
Agencies would work with states to develop and issue mobile driver’s licenses to meet that goal, along with identity fraud reporting.
AI Cybersecurity Innovation and Controls
AI “has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense,” the Biden order states. “The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.”
Those efforts would begin with a pilot program “on the use of AI to enhance cyber defense of critical infrastructure in the energy sector.”
That pilot program may include vulnerability detection, automated patch management, and “the identification and categorization of anomalous and malicious activity across information technology (IT) or operational technology systems.”
That would be followed by a Department of Defense program “to use advanced AI models for cyber defense.”
The order also asks agencies to prioritize research on the following topics:
- human-AI interaction methods to assist defensive cyber analysis
- AI coding security assistance, including security of AI-generated code
- methods for designing secure AI systems
- methods for “prevention, response, remediation, and recovery of cyber incidents involving AI systems.”
Secure Architecture a Long-Term Goal
One of the few long-term goals in the order is a requirement that within three years, the Director of OMB would issue guidance “to address critical risks and adapt modern practices and architectures across Federal information systems and networks.”
That includes, at a minimum, zero trust architectures, EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication.
One last requirement calls for agencies to assess “risks to mission-essential functions presented by concentration of IT vendors and services.”
The Biden order applies to federal civilian agencies but not National Security Systems (NSS). However, NSS and “debilitating impact systems” would also be required to develop requirements “that are consistent with the requirements set forth in this order.”
