According to recent reporting, in the dwindling time left in office, the Biden Administration is racing to put out a cybersecurity Executive Order (EO) focusing on the recent spate of alleged China intrusions against U.S. organizations.  Among the directives in the undated draft of the report seen by one news outlet the government intends to mandate “strong identity authentication and encryption” across communications and will include such measures as developing guidelines to safeguard cryptographic keys used by cloud software contractors, encourage software providers to follow basic cybersecurity hygiene, and even requiring federal contractors to better manage access to the cloud resources.  If and when it comes out, this will be the second cybersecurity-related EO signed by Biden.

No doubt, the revelation of China’s various TYPHOON cyber campaigns has had some influence in the roll out.  China’s ongoing global cyber activities have challenged more than one administration with none achieving any meaningful change in Beijing’s behavior.  With estimates of Chinese industrial espionage costing the U.S. economy costing anywhere between USD $225 billion and USD $600 billion, the executive able to mitigate and/or reduce the volume of theft would have made tremendous gains, especially given China’s brazen response when called out for such activities.  Typically, economic sanctions and naming-and-shaming have been the go-to punitive responses from U.S. presidents to punish Chinese entities allegedly tied to cyber espionage activities.  But these have done little to deter behavior and have been met with equal Chinese resistance with its own media campaigns countering U.S. narratives and imposing their own reciprocal sanctions for perceived U.S. transgression.

Now, set against the backdrop of what has been perceived as a ramp up of China cyber espionage into potentially disruptive activities, the EO correctly applies lessons learned from the various TYPHOON campaigns, as well as other high-profile breaches that occurred during Biden’s term.  Certainly, clearer direction with how to secure areas like artificial intelligence and bolstering border gateway protocol security requirements are essential in continuing to make federal systems more resilient.  These are positive and necessary developments in evolving the United States’ cybersecurity posture, and directly reflect insights gained from addressing real world intrusions by identifying what went wrong and correcting it via directives.  As always, the key will be holding agencies accountable for their adherence to them, something that continues to be a thorn in the side of cybersecurity implementation.

Even though the EO is believed to have been in the works for several months, it is curious that the Biden Administration appears trying to fast track it before he leaves office.  From one perspective, the expediency of this EO s on an issue as complex and arduous as cybersecurity mandates seems an almost desperate attempt by a president to preserve his legacy with one last act.  After all, Biden had four years to roll out such measures when they may have had more of an impact in bolstering the United States’ cyber defenses and preparedness.  What’s more, aside from the fact that EOs can be repealed by succeeding presidents – something that Biden did with Trump when he came into office – the idea of instituting these mandates when the very senior officials that helped put it together may be replaced in the new Administration seems concerning at the very least.  There is no love lost between the two men, and it is clear that new presidents have had little problem revoking the EOs of their predecessors in favor of instituting their own policies.

Fortunately, cybersecurity is generally an apolitical issue, or at least, it should be given that no administration as of yet regardless of political party has gotten it right.  This is largely because cybersecurity is an evolutionary progression and not a program that can be ejected and replaced easily.  On a state level, it benefits from a steady process of building on what’s already in place, learning from mistakes, and improving on how it’s been done as new technologies emerge on the scene.  What’s particularly promising is that during Trump’s first term his administration backed a zero-trust strategy plan, something that Biden carried over into his term.  Now entering his second term, it is likely that Trump will continue to promote this track as well.  This is exactly the kind of continuance that is needed to make consequential strides in improving U.S. cybersecurity efforts.  If some of the areas covered in the draft EO are valid and remain in the final version, Trump will likely see the value in some of them and keep them in place when he enters office.  It is difficult to argue against measures that strengthen zero-trust just because they were initiated by the opposing party.

However, one facet of the EO that could likely face a setback is the section that will purportedly grant the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency more power and keep in place its persistent access capabilities (PAC) program for civilian agencies, even though PAC was not specifically mentioned in the draft EO.  The PAC allows CISA to maintain continuous access to a compromised system or network, even after a breach has been identified, mitigated, and remediated.  Currently, as many as 76 agencies are using PAC tools like endpoint detection and response devices, which facilitate threat hunting, according to an Office of Management and Budget report to Congress.  CISA is already in the hotseat as the Trump administration poises to take control, and if this section were to remain in its draft form, 

CISA would have tremendous access into agencies’ networks and the authority to commandeer control over the network in the event of a cyber attack, something that gives agencies, and no doubt the new president, pause.

While Biden’s efforts on the conclusion of his term are admirable, it does raise the question if these efforts would have been strengthened working in concert with the incoming President as well, to ensure that they align with the new policies coming through since EOs can be rescinded as quickly as they are implemented.  This would have achieved the objective of bolstering Biden’s presidential legacy by collaborating on a politically agnostic issue such as cybersecurity while positioning the new Administration in a good place for Trump to engage on critical issues such as China, artificial intelligence, chip development, to name a few.  This would have been a huge success and a signal for what the United States needs to do as its executive leadership changes so frequently – that despite political conflicts and disagreements, its unified in its commitment to crossing the aisle to strengthen the posture of the country.  

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.