Potential year-end cyber executive order may hinge on election results, people familiar say

A second Biden-era cybersecurity executive order could be ushered in by year-end during the congressional “lame duck” session if former president Donald Trump wins a second term in the White House, according to people familiar with the matter.

Conversely, if Vice President Kamala Harris were to win the presidency, the order may be handed off to her transition team to potentially enact after she is sworn into the Oval Office in January, said the people, who spoke on the condition of anonymity to be candid about how they’ve been informed of the Biden administration’s thinking.

Sources with knowledge of the order told Nextgov/FCW that the forthcoming directive would focus on a slew of cybersecurity topics, including secure by design initiatives, software supply chain responsibilities, IT and operational technology security, internet routing, cryptography management, identity management, artificial intelligence and cyber workforce development.

Advancing the migration to post-quantum cryptography — a scientific standard meant to protect against future quantum computers’ ability to break through traditional encryption methods — is also anticipated to be a starring element in the pending executive action.

The new presidential edict would, in essence, help address areas that were not previously or fully covered in a landmark Biden-era cyber executive order issued in 2021. One person familiar with the process described the new order as a “kitchen sink” decree that would tackle unfinished business in the U.S. cybersecurity policy landscape.

While most of the order has been drafted, it may undergo changes, and the Biden administration may elect to pursue a different line of thinking on its release date, the people stressed.

CyberScoop first reported on the pending order last week.

Although the order is expected to partly focus on identity and access management in the government, it’s not expected to encompass the wide-ranging initiatives contained in previous draft versions of a long-promised executive order focused on identity theft in public benefits, according to a different person familiar with the draft order’s contents. The White House told Nextgov/FCW in March that the identity order was still forthcoming. 

The National Institute of Standards and Technology declined to comment, while the Cybersecurity and Infrastructure Security Agency referred Nextgov/FCW to the White House for comment. The White House’s Office of the National Cyber Director declined to comment. 

The Office of Science and Technology Policy, Office of Management and Budget and the National Security Council did not respond to requests for comment. Additionally, spokespeople for the Harris campaign did not return a request for comment.

It’s logical for the administration to unveil the executive action if Trump were to retake the White House, said Michael Daniel, a former Obama-era NSC cybersecurity coordinator who now heads the nonprofit Cyber Threat Alliance.

“That line of thinking sounds consistent with what I would expect,” he said in an interview. “A December [release] timing makes sense for if you’ve got a Trump administration coming in, and clearly it would make sense for the Biden administration to cooperate and collaborate with an incoming Harris administration to make sure they weren’t stepping on toes.”

Even in the final months of President Joe Biden’s tenure, the White House is taking strides to wrap up myriad cybersecurity and tech policy agenda items. In late October, the administration released a final rule with the Treasury Department barring outbound investments toward advanced technological fields like AI, semiconductors and quantum computing in an effort to protect U.S. national security posture. 

Agencies across the federal ecosystem have been accelerating their internal security posture as part of a maturity deadline to implement zero trust architecture in their systems by the end of the government’s 2024 fiscal year. 

CISA, meanwhile, has been pushing secure product design, as multiple high-profile cyber incidents occurring since the start of the decade have galvanized interest in the concept, which encourages companies to design their products with built-in security features that come pre-installed at point-of-sale.

ONCD, through a sweeping governmentwide cybersecurity strategy released last March, is also pushing secure-by-design principles, urging developers to adopt memory-safe programming languages with built-in guardrails to prevent unauthorized access, data sabotage or system crashes enabled by hackers. The White House cyber office is also working to boost the security posture of the Border Gateway Protocol, a backbone data transmission algorithm.

“Across the board, you can look at all these different areas and see that we’re better off, but we’re still not as good as we need to be,” Daniel said. “Doing an EO like this is — it’s the administration trying to lay the foundation for the next wave of work that needs to happen."