Biden’s crowded new executive order deals with cybersecurity, artificial intelligence and more

Four days before leaving office, US President Joe Biden issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence and punishes foreign hackers.

The 40-page executive order unveiled on Thursday is the latest attempt by the Biden White House to boost efforts to harness the security benefits of AI, implement digital identities for US citizens and address loopholes that have helped China Russia and other adversaries repeatedly penetrate US Government Systems.

The order “is intended to strengthen America’s digital foundations and also set the new administration and the country on a path to continued success,” Ann Neuberger, Biden’s deputy national security adviser for cyber and emerging technologies, told reporters on Wednesday.

Above Biden’s directive is the question of whether President-elect Donald Trump will continue any of these initiatives after he is sworn in on Monday. None of the highly technical projects laid out in the order are biased, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems the order identifies.

Trump has not named any of his top cyber officials, and Neuberger said the White House has not discussed the order with his transition staff, “but we are very happy that as soon as the incoming cyber team is named, we will have some discussions during of this last transitional period.’

The core of the executive order is a set of mandates to protect government networks based on lessons learned from recent major incidents — namely, the security breaches of federal contractors.

The order requires software vendors to provide proof that they follow secure development practices when upgrading tenure that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency will be tasked with double-checking these security certifications and working with vendors to fix issues. To put some teeth behind the requirement, the White House Office of the National Cyber ​​Director is “encouraged to refer certifications that have not been validated to the Attorney General” for potential investigation and prosecution.

The order gives the Commerce Department eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, these practices will become mandatory for companies that want to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology security software development guide.

Another part of the directive focuses on protecting the authentication keys of cloud platforms, the compromise of which opened the door for Chinese stealing government emails from Microsoft servers and his recent hacking the Treasury supply chain. Commerce and the General Services Administration have 270 days to develop key security guidelines, which will then have to become requirements for cloud providers within 60 days.

To protect federal agencies from attacks that rely on flaws in IoT devices, the order sets Jan. 4, 2027. deadline for agencies to purchase only consumer IoT devices that the startups carry US Cyber ​​​​Trust Mark label.