Advertisement

Second Biden cyber executive order directs agency action on fed security, AI, space

A draft obtained by CyberScoop would give the sitting president a short window to sign it before his exit.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
U.S. President Joe Biden holds a pen bearing his signature during a briefing on the federal response to the Los Angeles wildfires in the Roosevelt Room of the White House on Monday. (Photo by Andrew Harnik/Getty Images)

A draft cybersecurity executive order would tackle cyber defenses in locations ranging from outer space to the U.S. federal bureaucracy to its contractors, and address security risks embedded in subjects like cybercrime, artificial intelligence and quantum computers.

The draft, a copy of which CyberScoop obtained, constitutes one big last stab at cybersecurity in the Biden administration’s 11th hour. The order is a follow-up to an order published in the first year of his presidency. The new order gives agencies 53 deadlines, stretching in length from 30 days to three years.

“Adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans, with the People’s Republic of China presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks,” the executive order’s opening reads. “These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy. More must be done to improve the Nation’s cybersecurity against these threats.”

Many of its sections are focused on federal cybersecurity. The tasks include measures such as encryption of federal email messages, and requiring contractors to affirm their security commitments — and then having the Cybersecurity and Infrastructure Security Agency verify them.

Advertisement

“In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise,” the order states.

It would seek to strengthen CISA’s ability to hunt for threats across federal agencies, by doing things like telling CISA to coordinate with federal chief information officers and chief information security officers to “develop and release a concept of operations that enables CISA to gain timely access to required data.” Some federal officials have complained about aspects of that plan.

The section on combating cybercrime and fraud, which the order says burdens taxpayers and “wastes government funds,” is less prescriptive. It suggests that agencies consider using digital identity documents for public benefits programs requiring identity verification, provided they adhere to principles like privacy.

But the executive order isn’t confined in its scope to the federal government, let alone the planet.

“In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that Federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation,” it states.

Advertisement

The executive order seeks to capitalize on the promise of artificial intelligence, with directives like tasking the departments of Energy and Defense to develop a pilot program on using AI to improve cyber defenses for critical infrastructure. Another passage also weighs in on quantum computing, with measures such as telling CISA to release “a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.”

One step aims to alleviate the burden of one of the Biden administration’s signature cybersecurity approaches: instituting rules to set minimum cybersecurity requirements for the private sector. “Minimum cybersecurity requirements can make it costlier and harder for threat actors to compromise networks,” it states, in ordering the Commerce Department to evaluate common cybersecurity practices across all industry sectors, then issue guidance on minimum practices.

A White House spokesperson did not respond to a request for comment on the administration’s planned timing for publishing the document. It was reportedly due last week. President-elect Donald Trump is set to be inaugurated Jan. 20.

Latest Podcasts