Mr Viral
Analysis Joe Biden, in the final days of his US presidency, issued another cybersecurity order that is nearly as vast in scope as it is late in the game.
The sweeping directive, signed Thursday, covers a range of topics including securing federal communications networks against foreign snoops, issuing tougher sanctions for ransomware gangs, requiring software providers to develop more secure products, and using AI to boost America’s cyber defense capabilities, among others.
This latest presidential mandate follows a year of unprecedented attacks by Chinese government spies who have been spotted lurking in federal and telecommunications networks and burrowing into critical infrastructure to prep for future destructive cyberattacks.Â
Additionally, ransomware criminals disrupted thousands of pharmacies and hospitals across the US and stole sensitive information belonging to around 100 million people after locking up Change Healthcare’s systems in February.
Also on Thursday, Microsoft warned that the Russian Federal Security Service’s online arm was back with a new data-stealing phishing campaign despite the feds and Microsoft seizing or taking down more than 180 websites related to that activity since October.
And it comes just days before Donald Trump becomes America’s 47th president, despite many of the deadlines stretching well into the new administration’s takeover.
It’s a bit of a Hail Mary designed to include everything possible and just see what sticks
While the US is facing serious cyber threats from nation states and financially motivated criminals alike, several of the executive order’s components may be dead on arrival.
“Given the timing right before a change in the administration, I can’t help but think it’s a bit of a Hail Mary designed to include everything possible and just see what sticks,” Wallarm security strategist Tim Erlin told The Register.
“It’s important to keep in mind that these executive orders, while sweeping in their intentions, are limited in scope and often significantly delayed in their timing,” he added. “For example, the requirement for government procurement using the recently ratified Cyber Trust Mark doesn’t take effect until 2027. A lot can change with cybersecurity in two years.”
Securing software supply chains
A big chunk of the order addresses the need to better secure software supply chains and using the government’s procurement power to ensure this happens. It references Biden’s earlier cybersecurity directive, executive order 14028, signed in May 2021 during his first year in office.Â
This led the development of secure software development practices, required software companies to demonstrate compliance with those practices, and then told federal agencies that they could only use software from providers that attest to using those best practices.
Still, “in some instances, providers of software to the federal government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise,” the EO says.Â
To address these issues, the cybersecurity directive mandates that software companies which sell to the government must submit proof to CISA that they are following secure software development practices.
It also requires the federal government to come up with a “coordinated set of practical and effective security practices to require when it procures software” – essentially minimum cybersecurity requirements.
Plus, it directs the National Institute for Standards and Technology (NIST) to provide guidance on how to securely deploy patches and software updates, and directs several heads of government agencies including CISA to issue recommendations on patching open source software and best practices for contributing to open source projects.
These federal procurement requirements are likely to see pushback from the software industry – and possibly a complete rollback from Trump, who is not a fan of regulations.
“Obviously, the lobbyists are going to fight tooth and nail” to eliminate the extra steps software makers must take to prove their products are secure, Tom Kellermann, global fellow for cyber policy at the Wilson Center, told The Register.
Still, he added, the presidential order is “missing something.”
“It should mandate that you have to be able to continuously monitor your code, your applications, for behavioral anomalies, i.e. zero-days,” Kellermann said. “Like continuously monitoring, in real time, and runtime, in production. Not you scan it in development and you show me an attestation that you do that. The whole reason why the Chinese and Russians are getting in all the time is because of zero-days.”
Securing federal networks
Another major piece of the EO involves securing federal networks and systems following a series of intrusions by both Russia and China into government IT systems and devices.Â
This section requires agencies to use phishing-resistant authentication standards such as WebAuthn.
It directs the Department of Defense and Homeland Security to “establish procedures to immediately share threat information” while strengthening CISA’s “capability to hunt for and identify threats across FCEB agencies.” Both of these aim to speed up the government’s hunting and identification of new threats before they move across government networks.
The EO also says government agencies must enable transport encryption by default across email, instant messaging, and internet-based voice and video conferencing. But it stops short of mandating end–to-end encryption to protect secure communications and instead says agencies shall “where technically supported, use end-to-end encryption by default while maintaining logging and archival capabilities that allow agencies to fulfill records management and accountability requirements.”
True privacy and security demands end-to-end encryption. The President’s EO misses the mark
This, according to Virtru CEO John Ackerly, who worked in the George W Bush White House as a tech advisor, is another missed opportunity for the Biden administration.
Ackerly pointed to the order’s “multiple mentions” of transport layer security, or TLS. “While maybe unsurprising given the continued hedging from the outgoing administration and the FBI on this topic, the silence on end-to-end encryption is deafening,” he told The Register. “TLS only protects data in transit – and it is only in transit for an instant.”
Following the Salt Typhoon attacks that compromised US telcos and allowed Beijing-backed spies to “record phone calls at will,” the FBI and CISA advised people to use “responsible encryption.”
“In a world where bad actors are attacking the US on a daily basis, ‘responsible encryption’ and TLS is simply not enough,” Ackerly said. “True privacy and security demands end-to-end encryption. This is not debatable. The President’s EO misses the mark.”
Securing AI and AI-enabled security
AI gets its own section in the EO, titled “Promoting Security with and in Artificial Intelligence.” The directive sets several AI-related deadlines and mandates a public-private collaboration and pilot program on using AI for cyber defense in the energy sector.
It also mandates a new DOD program to deploy advanced models for cyber defense and prioritizes funding for research into AI-assisted cybersecurity.
“While AI for cyber defense is a must, it introduces risks like algorithmic bias, adversarial attacks, data leakage, and over-reliance on technology without human oversight and proper regulation in place,” cautioned Gabrielle Hempel, a customer solutions engineer at Exabeam.
And then on the other side of AI security – securing the software and models themselves – the order requires the DOD, Homeland Security, and Directors of National Intelligence and Office of Management and Budget to incorporate the management of AI software vulnerabilities into their processes.
It also calls for these agencies to do a better job coordinating “vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.”
In farewell speech, Biden rails against the tech industrial complex, disinfo dismantling democracy
Biden opens federal land to power-hungry AI datacenters
China’s Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says
FBI wipes Chinese PlugX malware from thousands of Windows PCs in America
Hempel says the EO “looks strong on paper,” but adds that many plans do. “How feasible is it to implement? With the way the federal government moves, there will be an entirely new attack landscape before it is implemented,” she warned.
For example, another section of the EO encourages the use of digital identity documents to access public benefit programs as a means to combat stolen and fake identities used by criminals in digital fraud schemes.
“Digital identity frameworks are a great step as many other countries are already using and governing them,” Hempel said. “However, I raise the same question as all other technology implementations the government has: how will we ensure data privacy and not open a vast amount of new attack vectors in implementing this?”
While the EO mentions securing federal systems, “there is a stark lack of focus on securing critical infrastructure sectors and bridging the gap between public-private infrastructure,” Hempel noted. “Federal security is only one piece of the puzzle, and, frankly, not where the greatest vulnerability lies.” ®
GIPHY App Key not set. Please check settings