President Biden signed an executive order to boost Americans' privacy amid continued cyberattacks against the U.S.
“Adversary countries and criminals have increasingly targeted the U.S. government, corporations, and individual Americans, with cyberattacks that disrupt critical services, businesses, and individual lives, costing billions of dollars, as well as damages,” a senior administration official told reporters on a call previewing the order.
The executive order outlines measures to assist the federal government in protecting against cyber attacks that jeopardize the privacy of Americans' digital identities.
The National Security Council (NSC) noted that the U.S. is unique among significant economies in its digital identity infrastructure. According to the NSC, Americans face approximately $56 billion in fraud annually.
A portion of the executive order will ease the U.S. government's sanctions criteria to penalize cyber attackers.
“The goal is to make it costlier, and harder for China, Russia, Iran, [North Korea], and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our nation, from our economy, and employment, to infrastructure, and innovation,” the administration official said, adding later, “It means more tools to publish them, to publicly name, sanction, and penalize these individuals, whether they’re working independently, or for [a] foreign government.”
The order will also accelerate the deployment of private-sector technology to enhance government efficiency and minimize fraud.
The NSC encourages the adoption of "privacy-preserving digital identity documents," such as mobile driver's licenses, and initiates an early-warning fraud pilot to alert Americans about potential fraud incidents related to their public benefits and payments.
Additionally, it sets new standards for software providers working with the U.S. government. This comes just weeks after the Treasury Department informed lawmakers that Chinese state-sponsored actors breached the agency early last month, stealing a key from a third-party software service provider.
Building on Biden’s initial cyber executive order, which mandated that federal agencies adopt new practices to safeguard against cyberattacks, the order aims to advance this objective by promoting modern, phishing-resistant technologies within federal agencies.
It will also enhance the visibility of attack activities across government agencies, enabling the Cybersecurity and Infrastructure Agency (CISA) to perform its duties more effectively.
“If we find one particular technique that a foreign government has used to hack one particular federal agency, this now tasks CISA and invites CISA centralized visibility to [threat] hunt, across all agency systems, to ensure we’re defending against this attack broadly,” the administration official said.
Moreover, the order will expedite the advancement and application of artificial intelligence (AI) and further explore AI-driven cybersecurity solutions and post-quantum technologies. This aspect mirrors Biden’s national security memorandum from last October, which urged government agencies to leverage cutting-edge AI systems to enhance national security.
The order also highlights the need to safeguard space-based systems, referencing the destruction caused by Russia’s assault on Ukraine’s military satellite communications system before its 2022 invasion.
KEY PROVISIONS
Software Supply Chain Security: This initiative mandates that software providers submit machine-readable attestations of secure development practices, which the Cybersecurity and Infrastructure Security Agency must validate within 90 days.
Federal Cybersecurity Enhancements: Implements enhanced endpoint detection and response (EDR) tools, authentication methods resistant to phishing, and revised cloud security protocols, with a 120-day deadline for implementation.
Quantum-Resistant Cryptography: This bill establishes an objective for federal agencies to shift to post-quantum cryptographic standards by 2030. It requires "detailed plans" to be provided within 90 days.
AI for Cyber Defense: Initiates efforts to employ artificial intelligence to enhance cybersecurity, especially in vital infrastructure areas such as energy, with pilot programs set to commence within 180 days.
Cybersecurity in Space: The law requires improved security measures for space systems and ground stations to tackle emerging threats. Agency evaluations and updates to cybersecurity standards are required within 180 days.
Open Source Software Management: Advises agencies to implement optimal practices for utilizing and safeguarding open source software, with guidelines to be provided within 120 days.
New Requirements for Vendors: Federal contractors must adhere to basic cybersecurity standards, and a "Cyber Trust Mark" for consumer Internet-of-Things devices is introduced. The deadline for implementing this mark is 240 days.
Numerous foreign adversaries executed hacking operations in the U.S. last year, heightening concerns about the nation’s capacity to defend against such threats. Among these was the unprecedented “Salt Typhoon” operation, where China-backed actors infiltrated over half a dozen telecom companies in the U.S.
As officials disclosed earlier this year, some people targeted in the Salt Typhoon hacks were involved in governmental or political activities. Although the exact number of targets remains undisclosed, President-elect Trump and Vice President-elect Vance were reportedly among those whose phones were targeted.
This eagerly awaited order arrives at the close of the Biden administration and follows two AI-related directives issued by the president earlier this week.
Ready to strengthen your organization's identity security?
For more cybersecurity insights, follow Cyderes on LinkedIn and X.
