Biden signs executive order inspired by lessons from recent cyberattacks
The order gives CISA more eyes to hunt cyber threats on government networks and directs agencies and contractors to be more transparent about the security of their software stockpiles.
President Joe Biden Biden on Thursday approved a capstone cybersecurity executive order that addressed lessons learned in cyberspace over the past four years, largely stemming from cyberattacks that have targeted swaths of sensitive government systems and private sector healthcare infrastructure.
The order, which comes just days before President-elect Donald Trump takes office, focuses on myriad measures to better secure federal systems and gives the U.S. more authority to sanction hackers, namely ransomware groups that hold victims’ systems hostage in exchange for ransom payments.
It follows in the footsteps of a cornerstone May 2021 executive order, penned by Biden largely in response to a pair of high-profile cyberattacks on IT and energy systems at the start of the decade.
Recent cybercriminal activity, as well as related nation-state incursions into federal networks and other critical infrastructure, have extensively alarmed national security officials and lawmakers.
One incident in 2023 involved Chinese hackers accessing the email communications of top Commerce and State Department officials, prompting a review from a Department of Homeland Security-backed cybersecurity review board. A year ago, Russian operatives also nabbed communications between Microsoft and federal agencies.
Last February, a major ransomware hack into UnitedHealth’s Change Healthcare unit affected some 100 million Americans. Other healthcare hacking incidents followed suit. More recently, Chinese government-backed hackers have been found intruding into telecommunications systems, and, more broadly, troves of critical infrastructure, including water treatment plants and power grids.
“The goal is to make it costlier and harder for China, Russia, Iran and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our businesses and our citizens,” Anne Neuberger, the outgoing deputy national security advisor for cybersecurity and emerging tech, told reporters in a call to preview the order.
The executive action is built to increase transparency and security in software supply chains, requiring vendors to provide better evidence of their security practices.
“We now require companies to give us proof, and we post that proof publicly, so a rural hospital or regional bank can look at that and say, ‘Okay, this is a software provider that is secure, I want to use that as well,’” Neuberger said.
Within several areas of the order focused on secure software, the National Institute of Standards and Technology is also directed to develop guidance on properly deploying software updates.
In July, a faulty CrowdStrike software update was pushed to millions of Windows computers, causing them to crash with the dreaded “blue screen of death” that impacted multiple federal agencies, as well as numerous companies and transport hubs around the world.
The order also seeks to improve the security of federal systems through cyber incident detection. The Cybersecurity and Infrastructure Security Agency, specifically, would be given centralized visibility to hunt for cyber threats that cross onto government networks.
CISA’s enhanced role, along with several other facets of the order, were reported by Nextgov/FCW last week. One standout measure, which Nextgov/FCW first reported, pushes for government agencies to ramp up use of digital identity documents like mobile drivers licenses to verify people applying for public benefits.
Among other areas, the Office of the National Cyber Director would be required to craft and submit a study that inventories existing space-connected ground systems and the information they manage and then offer recommendations to improve their cyber posture.
Ground-based space assets like mission control centers or launch facilities are easiest to breach because defending them from intrusions often involves basic cybersecurity practices that many organizations don’t implement, a top Pentagon official said in May.
Under the order, the government would also be required to procure devices that have the newly unveiled Cyber Trust Mark certification label by 2027. The mark is designed to inform consumers about applicable products that meet certain government-vetted cybersecurity standards.
Neuberger said there haven’t been any direct discussions yet with Trump officials about the order, noting that top cyber officials in the new administration haven’t yet been announced.
“So as a result, we haven’t discussed, but we are very happy to as soon as the incoming cyber team is named, of course, have any discussions during this final transition period,” she said.
Nextgov/FCW Staff Reporter Natalie Alms contributed to this report.