President Biden issued an executive order Thursday that requires software companies that sell their products to the federal government to prove they include ironclad security features that can thwart Chinese intelligence agencies, Russian ransomware gangs, North Korean cryptocurrency thieves and Iranian spies.
But it's unclear whether the Trump administration, which aims to repeal the law or vow to crack down on China in particular, will keep the overhauled cybersecurity rules in place.
This order, which came four days before the end of Mr.
But four years after that day, a difficult conflict – where a new cold war with China played out – hackers often come out on top. In the past two years, there have been repeated, successful breaches of the Chinese grid, the nation's pipelines, the telecommunications system and, in recent weeks, the Ministry of Finance. That attack has led the incoming Trump administration to complain that America's defenses are still easily penetrated and its deterrent force inadequate.
Since the list of Mr. Biden's new laws and orders are growing, including issues such as drilling on the east coast and removing Cuba from the terrorist list, Mr. and instructions.
Others will be sent back next week, making many of Mr. But the new cybersecurity requirements add a wrinkle to that debate, potentially creating a clash between the Trump administration's vow to repeal the law and its promise to protect against Chinese intrusion into American networks.
The new rules will require, for the first time, that companies prove that the software they sell to the federal government meets basic Internet security requirements, and publish evidence of those measures. They cited China's “active and ongoing cyberthreat to the United States” and waves of attacks from other nations and criminal groups.
Yet despite the 50 pages of requirements in the order, Mr. Biden essentially abandons the administration's approach of persuading the private sector to invest in cybersecurity through voluntary programs and public-private partnerships.
He and his aides concluded that the only way to get companies to implement strong cyber security measures is to demand those measures, and force firms to make their specific measures public. That way, if there is another embarrassing breach, it will be clear whether companies have left holes in their defenses.
The new order will increase the government's authority over the software supply chain. The White House, which often uses existing authorities, has already imposed regulations on pipelines, railroads and hospitals.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies who led the program, told reporters Wednesday that the executive order, which is in the works for several months, “is designed to put the country on a path to secure networks across the nation. government and private companies.”
It was caused by a painful experience. Four years ago, when Mr. With Biden as president-elect, Russian spy agencies hacked into code written by SolarWinds, a company that sells network management software to the government and Fortune 500 companies. When SolarWinds updated that software and distributed it to its customers, Russia gained the ability to steal company secrets and spy on government agencies such as the Treasury and Commerce Departments.
Mr. Biden criticized the Russians, and his only meeting as president with President Vladimir V. Putin, in Geneva in 2021, was about the Russian ransomware that froze the Colonial Pipeline, which supplies gas and oil to the east coast. After that session, Ms. Neuberger pressed organizations around the government to write new requirements for companies that do business with them, hoping to use the federal contracting process to force changes in the way firms develop their software.
But the effort did not go far enough. The companies declared that their products met the new criteria, but did not need to prove their assertions. When hackers linked to one of China's intelligence agencies recently breached the Treasury Department, gaining access to thousands of classified documents, they appeared to be hacking through software provided by vendor BeyondTrust. Government officials have said the company has demonstrated that it has met all cybersecurity requirements, but the new rules will force it to make those measures public.
“We told the software companies to just tell us they use it,” Ms. Neuberger said of the organization's old rules. “I think we've realized, in the last four years, we need evidence.”
BeyondTrust said little about the episode, other than a brief statement that it “took steps to address the security incident in early December 2024” and “notified a limited number of customers.” It declined to discuss how the breach occurred.
And the country's major telecommunications companies have not said much about how China's intelligence agencies have discovered new, almost invisible information on their networks. The discovery allowed access to some of the government's secret court-ordered phone-tapping and unrecorded conversations of President-elect Donald J. Trump and Vice President-elect JD Vance. (It is not clear whether the agencies used that access.)
“After major cyberattacks in the past four years, such as China's compromise of Microsoft's cloud, Russia's disabling of a commercial satellite and ransomware attackers forcing hospitals to postpone operations,” said Ms. Neuberger, “we spent seven months carefully analyzing each hack to determine how the attackers got into the gates.”
The new rules may not have made a difference to the job of monitoring telecommunications companies, dubbed the “Salt Typhoon.” They may have helped protect the power grid and water pipelines against a different type of hacking linked to China, which was aimed at disabling those systems in the United States to prevent aid to Taiwan in the event of war on the island.
Under the latest guidelines, any company that receives payments from the $100 billion the federal government spends each year on software will be subject to the requirements. Violators may be referred to the Department of Justice for prosecution.
The new rules will also impose requirements on space systems, after Russia disabled Europe's satellite communications system by attacking its modems on the ground.
But implementing the new order will be left up to the Trump administration, which would have to use deadlines, starting at 120 days. There will come an important time, if the companies decide to check that Mr. Will Trump keep these dates?
Ms. Neuberger noted that the Biden administration adopted many of the rules and regulations left over from the previous Trump administration. He said he expects the returning administration to “do the same.” But that is by no means guaranteed.
And while Ms. Neuberger noted recently that building resilience in American networks has been a bipartisan effort, the incoming national security adviser, Representative Michael Waltz, has spoken more about responding to China's offensive cyberoperations.
As well as John Ratcliffe, chosen by Mr. Trump for CIA director. Mr. Ratcliffe said at his confirmation hearing on Wednesday that the United States is seeing “an attack on our digital borders from half a world away, in a few seconds and a few clicks.” He pointed out that America's ability to prevent such attacks has failed.
“The deterrent effect should be that there are consequences for our enemies if they do that,” he said.
Source link
