Forthcoming executive order seeks to plug holes in federal cyber practices
The document, which has been in the works for months, is expected to be signed Friday or early next week, according to people familiar with the matter. It builds on cyber lessons learned throughout the Biden administration following the signing of a flagship executive order in 2021 that was fueled by the well-storied Colonial Pipeline and SolarWinds hacks.
Since then, the government has faced myriad hacking incidents from nation-state operatives. A recent Chinese hack into the Treasury Department’s systems was likely carried out by a Beijing-backed hacking unit dubbed Silk Typhoon, according to a person familiar with the matter. Bloomberg News first reported the presumed identity of the hackers Wednesday night.
“We’ve learned a lot of lessons over the last four years from … seeing compromises by countries like China,” Deputy National Security Advisor for Cybersecurity and Emerging Technology Anne Neuberger told reporters this week, describing the forthcoming executive action. “We’ve learned what’s worked, and we’ve learned what the gaps are, and our goal was really putting the next administration on the best possible foundation to build on that for success.”
As written, the draft order directs agencies and their industry clients to think harder about where they get their software and how their softwares’ security is vetted. The Federal Acquisition Regulatory Council, for instance, would be asked to work with key technology and defense agencies to boost oversight of secure software attestation language submitted by contractors.
Under the order, the government would be required to procure devices that have the newly unveiled Cyber Trust Mark certification label by 2027. The mark is designed to inform consumers that applicable products meet certain government-vetted cybersecurity standards.
Agencies would also need to enroll their systems in endpoint detection and response — or EDR — solutions, which are specialized cybersecurity products programmed to monitor and respond to threats that enter networks. The agencies must also link their EDR data back to the Cybersecurity and Infrastructure Security Agency so the accumulated information can be used for threat hunting and incident response across the federal landscape.
Debates surrounding endpoint solutions soared this past summer when a faulty software update in CrowdStrike’s EDR platform was pushed to millions of Windows computers, causing them to crash with the dreaded “blue screen of death” that impacted multiple federal agencies, as well as numerous companies and transport hubs around the world.
Space systems also get a shoutout in the order. The National Cyber Director, for instance, would be required to craft and submit a study that inventories existing space-connected ground systems, the information they manage and recommendations to improve their cyber defenses.
Ground-based space assets like mission control centers, launch facilities and network equipment used to transmit data are easiest to breach because defending them from intrusions often involves basic cybersecurity practices that many organizations don’t implement, a top DOD official said in May.
Moreover, agencies would be required to strengthen internet and communication security. They would need to register their IP address resources with a regional internet registry and publish Route Origin Authorizations, or ROAs, which help secure internet routing via the Border Gateway Protocol.
The BGP is a backbone data transmission algorithm that determines the optimal path for data packets to move across networks. The White House has been working to secure this part of the internet for months amid growing fears of BGP hijack attacks, where hackers take over groups of internet addresses by sabotaging their routing pathways.
On the communications side, agencies would be required to encrypt their internet traffic, secure email connections with encryption and authentication and enable encryption for tools like voice calls, video conferencing and messaging apps. Wherever possible, end-to-end encryption should be used to keep sensitive conversations private, the order says.
A sweeping Chinese hack into U.S. and allied telecom networks around the world has prompted officials to encourage Americans — especially high-value individuals like politicians and government officials — to switch to encrypted messaging services so that the hackers can’t obtain further sensitive intelligence from their conversations. Agencies have also recently been issuing internal communications guidance.
The post-quantum cryptography, or PQC, frontier is also addressed in the draft order. To strengthen overall network encryption and prepare for fault-tolerant quantum computers, DHS and CISA are directed to take the lead in regularly updating a list of software product categories that support post-quantum cryptography.
Post-quantum standards aim to protect today’s computers from future quantum devices that could potentially break through current encryption methods. The draft order directs agencies to adopt hybrid or fully PQC methods for key generation and sharing, using standardized algorithms designed to shield data against quantum computer-powered attacks while maintaining compatibility with current systems.
International collaboration in the post-quantum realm is also a major component. The Secretary of State is directed to work alongside Commerce Department leadership to identify and engage foreign governments and industry groups in select countries to encourage their transition to PQC algorithms standardized by the National Institute of Standards and Technology.
Artificial intelligence’s role in cyber defenses is also featured in the order. One section focuses on leveraging AI software to bolster cybersecurity efforts by quickly identifying and helping to patch network vulnerabilities.
The draft, for instance, says that following completion of the AI Cyber Challenge hosted by the Defense Advanced Research Projects Agency at the DEF CON 2025 hacker conference, leadership from the Departments of Energy, Defense and Homeland Security would collaborate with critical infrastructure operators to launch a pilot program to integrate AI into systems that can detect cyber vulnerabilities and threats in the energy sector.
Additionally, the executive order tasks the Secretary of Defense, Secretary of Homeland Security, the Director of National Intelligence and the Director of the Office of Management and Budget with incorporating AI software vulnerability management and incident response practices into their agencies’ governance frameworks.
The draft also includes some digital identity items, years after Biden promised an executive order focused solely on fraud and identity theft in public benefits. That order has yet to be issued, but the forthcoming cyber decree would push agencies to ramp up their use of mobile drivers licenses to verify people for public benefits.
Some senior players within the government expressed satisfaction with the final contents of the decree, particularly its level of technicality.
“The EO is a necessary step to protect the nation’s cyber assets,” a senior cybersecurity official told Nextgov/FCW, who was granted anonymity to be candid about their views of the executive action. “Where I think this EO excels is that it is more actionable than others. It pinpoints specific areas that don’t always get the focus such as PQC and BGP [border gateway protocol], although AI gets the press, rightfully so. This EO really emphasizes collaboration, actions and results.”
It’s unclear whether the order will remain in place once the Trump administration takes the helm. Throughout its development, Trump-affiliated staff sought to review the order with Biden officials and scrap parts of it they didn’t like, according to a person familiar with the matter. It wasn’t immediately clear as to how those discussions played out.
Though specific approaches may vary, the imperative to secure government systems against cyber threats has often been a bipartisan objective.
]]>