Biden cyber executive order gets mostly plaudits, but its fate is uncertain

A sweeping executive order on cybersecurity released Thursday won largely positive reviews, with the main question being its timing — and what will come of it with the executive branch set to be handed over from president to president.

Chris Inglis, the former national cyber director for Joe Biden who has served under both Democrats and Republicans, told CyberScoop there is a measure of “positive audacity” in the scope of the order, which he described as “doubling down” on the defensive cybersecurity philosophy put in place by the Biden administration on how to best defend tech across the public and private sectors.

Rep. Bennie Thompson, D-Miss., also praised the order.

“President Biden has done more to raise the bar for security for the Federal government, its vendors, and critical infrastructure owners and operators than any of his predecessors,” the top Democrat on the House Homeland Security Committee said in a written statement to CyberScoop. “The Executive Order charts a course for the next Administration to build on the progress the Biden-Harris Administration made reducing systemic cyber risk by shifting the responsibility for security to those best positioned to make the digital ecosystem more secure. I hope the next Administration will execute the EO in good faith, and I am committed to working with them to do so.”

Carole House, a special adviser for cybersecurity and critical infrastructure policy at the National Security Council, said during a webinar Thursday that there was cause for hope that the Trump administration would support the order, citing past bipartisanship on cyber.

“These are issues that just rise above and transcend party politics,” she said at an event hosted by the Center for Cybersecurity Policy and Law. “The initiatives in here [are] …  critical ones that strengthen our federal systems, strengthen critical infrastructure and benefit national security more holistically. We have no reason to believe that the new team coming in would not care about these things.”

A spokesperson for the Trump transition team didn’t respond to requests for comment.

But at least one influential Hill Republican took issue with the timing of the document.

“By signing an executive order with cumbersome requirements in the final days of his administration, President Biden is impairing continuity with the incoming Trump administration. President Trump has a new vision for American security, and he should not be kept from pursuing his cybersecurity agenda,” said House Homeland Security Chairman Mark Green, R-Tenn. “To add insult to injury, the Biden administration did not appear to properly consult impacted industry stakeholders, who already take precious time away from defending their networks to comply with the current cyber regulatory regime.”

In response to audience questions during her webinar appearance, House discussed White House outreach to key companies, such as cloud providers.

“There were definitely some discussions,” she said. “This was very collaborative and inclusive. … So we leveraged the benefits of other agencies that have also long been engaging with cloud providers.”

She did not, however, answer what kind of conversations the Biden team had with Trump’s.

Whatever the level of consultation with the private sector, one industry group said in a comment on the executive order that they wanted just that from the Trump administration.

“Accelerating the use of AI to promote better security outcomes, supporting the development of a robust digital identity infrastructure to help combat fraud, and promoting the adoption of post quantum cryptographic products are sound cyber policies,” John Miller, senior vice president of policy and general counsel for the Information Technology Industry Council, said in a written statement. “We encourage the incoming Trump-Vance Administration to meaningfully engage with industry on efforts to mitigate cyber risks while promoting the trust, innovation, and data flows fundamental to unlocking the benefits of the next wave of digital innovation.” 

Until the incoming Trump administration weighs in, it’s hard to say how they’ll actually react to it.

“My guess is that the next administration is going to take a careful look at what’s in here and decide if they want to continue supporting it,” said Brandon Wales, who held top positions at the Cybersecurity and Infrastructure Security Agency under both Biden and Trump and now is vice president of cyber strategy at Sentinel One. “I do think that a lot of what this executive order calls for are things that must make sense to ensure that we have the right security of federal  systems and that we’re using the federal government’s ability to help shape the market” outside of the federal government.

Wales told CyberScoop that the sections that have a chance to make the biggest impact if implemented are in improvement of tech that governments and companies use, the security of internet routing and CISA’s ability to hunt for and identify threats in federal IT.

It’s not clear how the Biden administration’s order — which focuses primarily on defensive cybersecurity and nudging private industry to up their game — will align with the desire by some incoming Trump national security officials to shift to a more offensive posture in cyberspace, Inglis said.

While the Trump administration will likely have an “expectation that our systems are going to be easier to defend and we’re going to hold accountable defenders to defend them,” Inglis said there’s also “going to be a bias … that will extend from the first Trump administration for muscularity, for cost imposition.” 

There are also tight timelines in the executive order — some 30 to 60 days away — that could make it hard to meet deadlines during personnel turnover, said Inglis, who is now serving in a number of private sector advisory and board roles.

Regardless of what comes next for implementing the executive order, it was a worthy update given everything that has happened since the first Biden administration executive order in 2021, said Michelle Sahar, cybersecurity policy director at OpenPolicy. The new order’s focus on growing or emerging threats — like in the areas of supply chain security, quantum computing and artificial intelligence — reflects that.

The order did miss an opportunity to address operational technology that’s used to control and manipulate physical devices and processes, said Amit Elazari, CEO of OpenPolicy, who otherwise praised it. But she was hopeful that, unlike the standalone AI executive order, the cyber order is an area of more bipartisan agreement.

A civil liberties group gave kudos to the document’s promotion of steps to protect sensitive personal data housed at federal agencies.

“End-to-end encrypted communications, phishing-resistant credentials, and measures to enhance software security are all important improvements to protecting government systems and data,” Samir Jain, vice president of policy at the Center for Democracy & Technology, said in a written statement. 

Bob Kolasky, former head of the Department of Homeland Security’s National Risk Management Center, told CyberScoop that the document reads like the Biden administration decided to throw everything but the kitchen sink into an order before leaving office.

He’s “eager” to see how receptive incoming Trump administration officials will be to the mandates. He highlighted the sections of software bills of material, software attestation and building cybersecurity requirements into federal contracts as a natural continuation of previous federal policy that should endure across administrations.

Still, Kolasky said that while career officials in government “don’t have the discretion to decide which [mandates] the president signs get done and which don’t,” the long-term impact of the order will ultimately depend on how much weight incoming Trump administration officials give to the mandates.

“When new political leadership arrives, question number one is ‘how much priority do you want me to give to this?’” said Kolasky, now senior vice president for critical infrastructure at Exiger. “I don’t think the work of the government stops in this period, but it has to be put on hold until you get guidance from the new head of the executive.”