During his time in office, former President Joe Biden and his administration attempted to tackle two of the most pressing technology issues of the last decade: Increasing cybersecurity threats from criminal groups and nation-state actors and the development of generative artificial intelligence for widespread commercial use.
In response to these technology challenges, the Biden administration created a series of executive orders that sought to position the U.S. government to develop solutions. For example, in response to the SolarWinds attack, one early executive order addressed security weaknesses in the software supply chain by emphasizing the development of more secure code, as well as changing how government agencies must evaluate and purchase applications.
Later, another executive order laid out guidelines concerning A.I. development and how public and private organizations must secure the technology and ensure its trustworthiness (President Donald Trump rescinded this specific executive order on his first day in office).
In one of his last official acts in office, Biden signed the final cybersecurity executive order of his presidency on Jan. 16 to fill lingering gaps and address issues ranging from ransomware to cybersecurity at federal agencies to additional security improvements for software. Since most of the goals are bipartisan, experts believe the new Trump administration will likely keep most, if not all, of the order intact.
At the heart of the Biden order is the U.S. government’s $100 billion IT procurement budget and how federal agencies can leverage that buying power to ensure software suppliers use secure code to develop applications that, in turn, can benefit all enterprises and consumers. At the same time, the administration wants to use more A.I. and post-quantum technologies to reduce risks and improve security while revamping how criminal and nation-state groups are sanctioned for ransomware attacks and other intrusions.
"The goal is to make it costlier and harder for China, Russia, Iran and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our businesses and our citizens," said Anne Neuberger, the former deputy national security advisor for cyber and emerging technology.
The executive order is also likely to have a major effect on developers, along with tech and cybersecurity professionals who now have to adjust their skill sets, as they are tasked with developing secure code and meeting new standards in quantum computing and cryptography.
“This executive order transforms how federal agencies protect their systems and data, while also reshaping the obligations vendors must meet to do business with the government,” Jason Soroko, a senior fellow at security firm Sectigo, told Dice. “By insisting on secure-by-design principles, quantum-resistant encryption and stronger DevSecOps frameworks, the administration compels both public and private sectors to evolve. This executive order is unusually detailed, but it can serve as an example of what all consumers of security technology should demand in their procurement process.”
From cyber threats and ransomware to pushing application developers to use more secure code to the roles of A.I. and post-quantum technologies, here are the parts of the Biden executive order most critical to tech and cybersecurity pros.
Improving Supply Chain Security
When Biden first entered office in 2021, his administration began addressing the fallout of the SolarWinds attack. As he left office on Jan. 20, the White House confronted a pair of attacks attributed to a China-linked group that targeted U.S. telecom providers and the Treasury Department.
In all these cases, the attackers appeared to use weaknesses in third-party suppliers to target their objectives. While the Biden administration previously took steps to improve supply chain security, the last executive order adds additional emphasis.
Specifically, the portion of the executive order dedicated to supply chain security noted how the federal government must now use its purchasing power to make application developers use secure code to ensure vendors keep their contracts to supply government agencies with software. “The Federal Government needs to adopt more rigorous third-party risk management practices and greater assurance that software providers that support critical Government services are following the practices to which they attest,” according to the order.
The recent attacks involving telecom providers and the Treasury Department—coupled with the executive order—are putting supply chain security back into the spotlight with an emphasis on why developers, IT and security pros must adhere to practices like DevSecOps.
“The integrity of our software supply chain has again been thrust into focus. This latest executive order will help to establish a common standard for submitting machine-readable software attestations and supporting artifacts like software and cryptographic bill of materials,” Philip George, executive technical strategist at InfoSec Global Federal, told Dice.
For cyber experts like Eric Schwake, the director of cybersecurity strategy at Salt Security, the emphasis on supply chain security, coupled with enhanced sanctions and A.I. development, can lead to better security within government agencies while also benefiting the private sector.
“The executive order's emphasis on securing software supply chains is vital, as weaknesses in software components can lead to widespread issues across systems. Enhanced sanctions empower a deterrent against harmful cyber activities conducted by nation-states and individuals,” Schwake told Dice. “Utilizing A.I. in cyber defense allows for quicker and more effective threat detection and response.”
AI and Cyber
With A.I. dominating tech conversations, the executive order looks to continue the U.S. government’s role in developing and safeguarding these innovations.
The Biden order calls for public-private partnerships to develop A.I. tools for cyber defense with an emphasis on the nation’s critical energy sector. There are also incentives to use A.I. to improve areas such as threat hunting, automated patch management and vulnerability detection.
“The order’s focus on A.I. not only highlights its dual role as both a transformative cyber defense tool and a potential vector for cyber-attacks,” said James Scobey, CISO at Keeper Security. “A.I.-driven threat detection, automated incident response and predictive analytics offer immense potential to strengthen cybersecurity postures.”
With the order pushing the bounds of A.I. development, Scobey believes that federal agencies and private firms need to take the time now to upskill their IT and security workforces to prepare them for what is coming and harness the potential.
“Workforce development is another vital element of this directive. Upskilling teams in areas like A.I.-driven threat analysis, compliance enforcement and secure software development is essential for implementing these directives effectively,” Scobey told Dice.
Others see the public-private partnerships as key to long-term success, which will require IT and security pros to work closely with A.I. technology to realize the full benefits.
“Specific types of A.I. can perform the micro decision-making necessary to respond to and contain malicious behavior in seconds,” Marcus Fowler, CEO of Darktrace Federal, told Dice. “Private-public partnerships are increasingly critical as some of the key areas of expansion and A.I. innovation are already occurring in the commercial space. Specifically, effective human-A.I. collaboration is augmenting stretched security teams, helping organizations to stay one step ahead of rising threats.”
Thinking Ahead: Post-Quantum Cryptography
Most of the Biden executive order focuses on current cybersecurity issues, but the section on post-quantum technology and cryptography seeks to address security concerns that remain years away.
Quantum computing itself is seen as the next evolution in computing, which will allow for the development of machines that work with “qubits,” essentially enabling a bit of data to act as both a 0 and 1 at the same time. In turn, quantum computers will be able to analyze multiple solutions and outputs simultaneously.
While companies such as Microsoft, Google and IBM are pouring millions into developing quantum systems and solutions, significant breakthroughs are still viewed as years away from any practical use. When that happens, however, these machines would be able to break current cryptography standards as the executive order details.
“Quantum computers pose significant risk to the national security, including the economic security, of the United States,” according to the order. “Most notably, a quantum computer of sufficient size and sophistication—also known as a cryptanalytically relevant quantum computer (CRQC)—will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.”
These future probabilities are why the Biden executive order focuses on the development of post-quantum cryptography (PQC) and why the federal government needs to focus on adopting these cybersecurity technologies.
“On the topic of PQC, there will be a concerted effort to expand awareness around PQC-ready products by providing a list of product categories that support PQC. Subsequently, agencies will be required to include a requirement for products that support PQC preparedness and adoption in future solicitations,” George added. “Lastly agencies will be required to start adopting new PQC standards after identifying network security products and services that are actively employed within their systems. There will also be direct outreach from the US government to its allies and partners to encourage similar action within their technology environments.”
To meet the standards tech and security pros working inside and outside of the federal government will need to develop familiarity with guidelines and instructions developed by the National Institute of Standards and Technology (NIST), Sectigo’s Jason Soroko added.
“Each federal agency must transition to quantum-resistant cryptography for all new systems and communications within a specific, near-term timeline – generally set at 18 to 24 months from issuance. The order also mandates that within this same period, agencies develop a detailed plan to retrofit or replace any legacy systems that cannot meet new standards,” Soroko noted. “In practical terms, this means agencies cannot deploy new encryption tools unless they align with NIST-approved quantum-resistant algorithms.”
