Biden's new executive order addresses cybersecurity, artificial intelligence and other issues

U.S. President Joe Biden issued a sweeping cybersecurity directive four days before leaving office, calling for improvements in how the government monitors networks, purchases software, uses artificial intelligence and punishes foreign hackers.

The 40-page executive order released Thursday is the Biden administration's last attempt to kick-start efforts to harness the security benefits of artificial intelligence, roll out digital identities for U.S. citizens and narrow the scope of efforts to help China, Russia and Other adversaries have repeatedly penetrated gaps in U.S. government systems.

Anne Newberg, Biden's deputy national security adviser for cyber and emerging technology, told reporters on Wednesday that the order "is designed to strengthen America's digital foundation and put the new administration and the country on a path for continued success."

Implicit in Biden's directive is the question of whether President-elect Donald Trump will continue to implement these measures after he is sworn in on Monday. None of the high-tech projects enacted in the order are partisan, but Trump's advisers may prefer a different approach (or timeline) to address the issues identified in the order.

Trump has not yet named any senior cyber officials, and Newberg said the White House has not discussed the order with his transition staff, "but we are pleased that any discussions can take place once the incoming cyber team is appointed during this final period." "Transitional period."

At the core of the executive order is a set of tasks to protect government networks based on lessons learned from recent major incidents, namely security failures by federal contractors.

The order, which requires software vendors to submit evidence that they follow secure development practices, builds on one first introduced in 2022 in response to Biden's first cyber executive order. The Cybersecurity and Infrastructure Security Agency is tasked with scrutinizing these security certifications and working with vendors to resolve any concerns. To implement this requirement, the White House Office of the National Cyber ​​Director "encourages the submission of certifications of failure to verification to the Attorney General" for possible investigation and prosecution.

The order gives the Commerce Department eight months to evaluate the cyber practices most commonly used by the business community and issue guidance accordingly. Soon thereafter, these practices will become mandatory for companies seeking to do business with the government. The directive also initiates an update to the National Institute of Standards and Technology's Secure Software Development Guidelines.

Another part of the directive focuses on protecting authentication keys for cloud platforms, the leak of which opened the door to China's theft of government emails from Microsoft servers and the recent supply chain hack of the Treasury Department. The Department of Commerce and the General Services Administration have 270 days to develop key protection guidance, which must then become a requirement for cloud providers within 60 days.

To protect federal agencies from attacks that rely on flaws in IoT devices, the order sets a January 4, 2027 deadline for agencies to purchase only consumer IoT devices labeled with the newly launched U.S. Cyber ​​Trust Mark.