Ransomware sanctions, software security among key points in new Biden executive order

Cybercrime, federal cybersecurity and securing commercial software are the focal points of an executive order that President Joe Biden issued Thursday in the waning days of his administration.

Anne Neuberger, deputy national security adviser for cyber, told reporters that the executive order was born from a seven-month review of all the major cyber incidents that have plagued the U.S. government over the last four years — including Chinese attacks on U.S. email systems and Russian targeting of satellite systems.

“This administration's cyber [executive order] today is designed to strengthen America's digital foundations and also put the new administration and the country on a path to continued success,” she said. 

“The goal is to make it costly and harder for China, Russia, Iran and ransomware criminals to hack and to also signal that America means business when it comes to protecting our citizens.”

The executive order is broken out into nine major issues:

• Making Sanctions More Effective to Punish Cyber Attackers, including Ransomware Attackers 
• Making Software More Secure – for Americans, Companies and the Federal Government
• Combatting Billions of Dollars in Cybercrime and Keeping Americans Secure Online 
• Promoting Security with and in Artificial Intelligence (AI)
• Reducing Bureaucracy and Waste in Government Cybersecurity 
• Keeping American Consumers Safe
• Improving Security of Federal Systems
• Promoting Adoption of Post-Quantum  Technologies
• Defending against Threats to Space Systems

Much of the document focuses on leveraging the U.S. government’s $100 billion dollars of annual government IT procurement to force companies into producing more secure products, deploying artificial intelligence more broadly and adopting post-quantum technology. 

The order also empowers federal agencies to better protect the U.S. government while seeking to “cut bureaucracy and fraud.”

It amends the U.S. government’s sanctioning authorities so that agencies can better target ransomware gangs. Neuberger explained that it effectively lowers the bar for what can be sanctioned because currently, the government has to spend months, and sometimes years, looking for ties between ransomware gangs and foreign governments or companies. 

“We want to really be able to make it riskier, costly and harder for malicious cyber actors. If somebody's attacking and disrupting a hospital in this country, it doesn't matter to us, or it shouldn't matter if they're working for a foreign government or they're working for financial gain in our ability to use sanctions against them,” she said. 

“This sharpens that authority so we can more broadly and easily sanction these actors.”

Neuberger said the White House did not coordinate the executive order with the transition team for President-elect Donald Trump, noting that ahead of President Joe Biden’s inauguration in 2021, Trump’s team issued several cybersecurity orders that were helpful to the incoming administration.

Neuberger added that while Biden administration officials have had broader national security discussions with the Trump team, the incoming president has not yet named its cybersecurity leaders. 

Government procurement

Biden administration officials said a top goal is to use the U.S. government’s massive buying power to force changes onto software makers. 

The order requires software suppliers to the federal government to prove they are using secure development practices when creating their products and establishes initiatives that will validate the proof. Neuberger noted that the results of the validation will be published so that customers outside of government can also know which companies use secure processes.

The National Institute for Standards and Technology (NIST) will be required to create guidance for how companies can “securely and reliably deploy software updates” while the General Services Administration (GSA) will be required to “develop policy driving cloud companies to clearly spell out how customers can secure their use of cloud products.”

Government waste is featured prominently in the executive order, and it says cybersecurity requirements for federal information systems must be simplified over the next three years. A minimum set of cybersecurity practices will be required for any company doing business with the federal government, it adds. 

Another mandate says agencies must better protect their systems with tools such as centralized visibility and threat hunting to quickly identify and mitigate threats. The Cybersecurity and Infrastructure Security Agency (CISA) will be asked to enable governmentwide visibility of attacker activity while also sharing threat information. 

Agencies will be required to implement phishing-resistant authentication technologies and use end-to-end encryption in communications, including email and videoconferencing.

The executive order also institutes new cybersecurity contract requirements for agency-procured space systems that protect command-and-control systems.

The Office of the National Cyber Director also will be required to inventory space ground systems and develop recommendations for improving their cyberdefenses.

Agencies will be required to protect communications with “quantum resistant” methods, meaning they would be difficult for as-yet-undeveloped quantum computers to decrypt.

The order launches a public/private partnership that will deploy artificial intelligence for the cyberdefense of critical infrastructure in the energy sector. It also promotes research into AI-based cybersecurity tools that can handle vulnerability discovery, threat detection and patch management. 

Privacy and identity 

Biden administration officials said the United States “stands alone among major economies in lacking secure, privacy-preserving digital identity infrastructure, leaving Americans exposed to a wave of cybercrime.”

Americans, they said, are forced to deal with more than $56 billion worth identity fraud every year and the U.S. government continues to lose billions from hackers exploiting vulnerabilities in federal programs. 

When it comes to American citizens, the executive order seeks to promote privacy-preserving digital identity documents like mobile drivers licenses and other technology designed to reduce the prevalence of identity fraud. 

It also launches a pilot program involving an early-warning fraud tool that can alert Americans of potential fraudulent claims of their public benefits and payments.

The order serves as a capstone to the Biden administration — which has faced multiple headline-grabbing cyber incidents but also pushed through the landmark National Cyber Strategy. 

“This really is the capstone cyber executive order reflecting lessons learned from how cyber attackers got in to conduct some of the most significant attacks that were either disruptive of critical infrastructure or particularly harmful to national security,” Neuberger said. 

“It includes real steps to close those gates and also make our digital infrastructure more secure and also make it easier for us to use sanctions authority against actors.”