- President Biden introduces new governmental cybersecurity requirements
- Third-party software providers must demonstrate adherence to new requirements
- The federal government must use end-to-end encryption by default
In one of his last acts as President of the United States, Joe Biden has signed an executive order aimed at strengthening US national cybersecurity.
The order lays out a series of checks and reviews on third-party software providers for both government systems and critical infrastructure in order to ensure they are adhering to established cybersecurity standards and making active efforts to eradicate existing vulnerabilities.
The executive order posits the People’s Republic of China is the main threat to vulnerable networks, likely referencing numerous attacks against US critical infrastructure in early 2024 by the Chinese state-sponsored Volt Typhoon group, and subsequent attacks against US telecommunications networks by the group.
New security standards
“I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats,” President Biden’s order said.
It also builds upon previous requirements laid out in the Executive Order on Improving the Nation’s Cybersecurity from 2021, and implements greater security checks on third-party providers to ensure “software providers that support critical Government services are following the practices to which they attest.”
Third-party providers will therefore have to provide frequent demonstrations that their software and supply chains are secure, with the contracting agency being notified of those failing to meet security requirements.
The federal government is also mandated to adopt identity management software, phishing-resistant authentication, and end-to-end encrypted communications by default across DNS protocols, email, voice and video conferencing, and instant messaging.
Biden also looks to address the future threat of cryptanalytically relevant quantum computers (CRQC) which, when viable, will be able to break many of the encryption algorithms in use today. US agencies will be required to adopt quantum-safe encryption methods authorised by the National Institute of Standards and Technology (NIST).