The order establishes a national certification program for secure technology and lowers the threshold for issuing sanctions against cyber actors.
President Joe Biden is signing an executive order to strengthen the United States’ cybersecurity capabilities following several high-profile hacks from state-sponsored actors in China.
The sweeping Jan. 16 order mandates new security requirements for software used by government entities and contractors, establishes a national certification program for secure technology, and lowers the threshold required for imposing tariffs on malicious cyber actors.
Anne Neuberger, deputy national security advisor for cyber and emerging technology, said that the order would help the United States to more effectively counter malicious cyber activity by adversarial nations and criminal groups alike.
“Adversary countries and criminals have increasingly targeted the U.S. government, corporations, and individual Americans with cyber attacks…,” Neuberger told reporters during a Jan. 15 press call.
“The goal is to make it costlier and harder for China, Russia, Iran, and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our businesses and our citizens,” she added.
To that end, a White House fact sheet shared with The Epoch Times said that the order would serve to counter “malicious countries and criminals” while also propelling the United States to adopt the type of security-first practices already required by many other nations.
“The United States stands alone among major economies in lacking secure, privacy-preserving digital identity infrastructure, leaving Americans exposed to a wave of cybercrime,” the fact sheet read.
The order also comes after several major and long-lasting hacks against U.S. infrastructure by Chinese and Russian state-backed hackers, including against U.S. telecommunications, satellite, energy, and transportation infrastructure.
Neuberger said the study of some of those major cyberattacks against the United States is what propelled the creation of the order.
“We’ve spent the last seven months carefully reviewing each hacking incident to determine exactly how the Chinese [and] other governments and criminals got through the gates,” she said.
“This capstone executive order is the result of a review of how these attacks occurred to understand how to better protect and secure these systems, stay ahead of threats, and make it riskier, costlier, and harder for cyber attackers to conduct future attacks,” she added.
New Government Cybersecurity Requirements
Key to the order’s success will be a suite of new requirements for software providers who work with the government.
The EO identifies minimum industry standard cybersecurity practices to be required for all companies doing business with the federal government and requires that the government’s software vendors provide evidence that their products were developed using secure practices.
Likewise, it orders the Cybersecurity and Infrastructure Security Agency (CISA) to receive, analyze, and track that evidence to ensure that companies are actually using the secure development practices they claim.
The new requirements are not confined to those wishing to do business with the government, however. There is also a suite of new rules for government agencies to follow.
First among them is a mandate requiring all users on the federal network to use end-to-end encryption for communication, including on all emails and videoconferences.
Similarly, the order further promotes the use of authentication technologies that can more reliably detect phishing attacks, in which a malicious actor seeks to obtain sensitive information or else compel a federal worker into unwittingly installing malware.
Looking further to the future of cybersecurity, the order also requires that agencies begin generating encryption keys with so-called “post-quantum cryptography” algorithms that are hoped to be more resilient to password-breaking attempts by early quantum computers that are expected to be developed in the coming years.
Finally, the order lowers the bar required for the government to issue sanctions against non-state cyber actors engaged in ransomware attacks against American hospitals and businesses.
“It shouldn’t matter if they’re working for a… foreign government, or they’re working for financial gain in our ability to use sanctions,” Neuberger said.
“We want to see a decline in China, Russia, Iran, companies, and criminals leveraging ongoing vulnerabilities and software,” she added.
New Cyber Trust Mark Certification for Consumer Products
The order also looks to reshape the lax security practices employed in innumerable consumer goods by establishing a new national certification program for secure products.
The Cyber Trust Mark program will provide a pathway for producers of consumer goods like home security systems or baby monitors to accredit their goods as being produced with secure practice. And, to incentivize the adoption of those cybersecurity practices, the federal government will begin exclusively purchasing devices with the Cyber Trust Mark in 2027.
The program will also be unrolled alongside new initiatives to drive secure practices in the private sector.
To that end, the order mandates the General Services Administration to develop policies requiring cloud companies to clearly spell out how customers can secure their use of cloud products and requires the National Institute for Standards and Technology to develop guidance for how to securely and reliably deploy software updates.
