President-elect Donald J. Trump takes the oath of office (for the second time) at noon EST on Monday, Jan. 20, 2025. Meanwhile, the Biden administration sent a string of last-minute directives and warnings regarding cybersecurity over this past week.
At top of the list, an executive order (EO) was issued on Jan. 16, 2025, entitled, "Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity." Here are some excerpts:
"Building on the foundational steps I directed in Executive Order 14028 of May 12, 2021 (Improving the Nation’s Cybersecurity), and the initiatives detailed in the National Cybersecurity Strategy, I am ordering additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People’s Republic of China. Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector are especially critical to improvement of the Nation’s cybersecurity. …
"(i) Within 30 days of the date of this order, the Director of OMB, in consultation with the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), and the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall recommend to the Federal Acquisition Regulatory Council (FAR Council) contract language requiring software providers to submit to CISA through CISA’s Repository for Software Attestation and Artifacts (RSAA):
"(A) machine-readable secure software development attestations;
"(B) high-level artifacts to validate those attestations; and
"(C) a list of the providers’ Federal Civilian Executive Branch (FCEB) agency software customers. …”
The EO goes on to touch on a wide-ranging list of cybersecurity topics. This NPR article summarizes the topics covered as well as potential impacts in many areas, including mandates to adopt quantum-resistant algorithms to protect against theft and decryption by adversaries.
As far as “the elephant in the room” regarding the impact of this EO once the new administration arrives, “Incoming Trump officials can cancel or replace Biden's executive actions at will. But the hope, [Deputy National Security Advisor for Cyber and Emerging Technology Anne] Neuberger said, is that the aims of the executive order are broadly bipartisan.
"Industry and policy experts are praising the executive order and encouraging President-elect Trump to maintain and build on the Biden team's cybersecurity efforts. …"
PARTING WORDS FROM CISA DIRECTOR
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), wrote this parting blog last week, noting that “China’s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation.”
Her words carry a lot of impact, and she highlighted her testimony and agency accomplishments over the past few years. It will be interesting to see what near-term changes are coming in areas like the private-sector mandates on reporting incidents. She wrote:
- "Every victim of a cyber incident should report it to CISA, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security.
- "Every critical infrastructure business should establish a relationship with their local CISA team and enroll in our free services, particularly our Vulnerability Scanning program, to help identify and reduce vulnerabilities that are actively being exploited by PRC actors.
- "Every critical infrastructure organization should double down on their commitment to resilience. CEOs, Boards, and every business leader must recognize that they own cyber risk as a business risk and a matter of good governance. They must expect disruption, continually testing the continuity of critical systems and functions to ensure they can operate through disruption and recover rapidly from an attack.
- "Finally, every technology manufacturer and software producer should design, build, test, and deploy their products using the practices outlined in our joint Secure by Design guidance. We must drive toward a future where technology products are safe by design and defective products are not present in critical infrastructure systems."
TREASURY HACK HAD WIDER IMPACT
And if parting messages from top cyber officials were not enough, details of previously reported hacks underlined the importance of these cybersecurity messages.
For example, this headline from Reuters grabbed global media attention: "Chinese hackers accessed Yellen's computer in US Treasury breach, Bloomberg News reports."
"U.S. Treasury Secretary Janet Yellen's computer was hacked and unclassified files were accessed as part of a broader breach of the Treasury Department by Chinese state-sponsored hackers, Bloomberg News reported on Thursday, citing two people familiar with the matter.
"The computers of two of Yellen's lieutenants, Deputy Secretary Wally Adeyemo and Acting Under Secretary Brad Smith, were also breached, the report said. …"
The recent announcements about Yellen’s computer are part of a wider hack of the Treasury Department that was announced at the end of last year. On Dec. 31, Reuters reported: "US Treasury says Chinese hackers stole documents in 'major incident.'" At that time, they wrote: “The Treasury Department said it was alerted to the breach by BeyondTrust on Dec. 8 and that it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack's impact."
BIDEN ADMINISTRATION LEGACY ON CYBERSECURITY
The Biden administration’s legacy on cybersecurity will still be written in the months and years ahead. In my opinion, it is too early to close the chapter on their cybersecurity accomplishments and flaws, and I will return to this topic later this year, once it becomes clearer as to what will happen next with the Trump administration’s cybersecurity plans. Also, we still may hear of more cyber attacks and data breaches that happened over the past four years that are not public yet.
Nevertheless, it is not too soon to say that cybersecurity remained a top priority for President Biden, and this overall issue remains a bipartisan priority for the economy, defense, government operations and much more.
Key Biden administration accomplishments on cybersecurity include the 2021 Executive Order on Improving the Nation's Cybersecurity, which aimed to modernize federal cybersecurity defenses and enhance public-private collaboration. The order introduced initiatives like establishing a Cyber Safety Review Board and mandating stronger security practices for software supply chains.
In addition, the administration focused on improving the security of critical infrastructure, including energy, water and communications sectors, following high-profile attacks like the Colonial Pipeline ransomware attack. The administration also emphasized developing a national strategy for ransomware and engaging in diplomatic efforts to curb state-sponsored cyber attacks, particularly from Russia and China. The government has also supported the private sector in strengthening defenses through incentives and collaboration with tech firms to tackle emerging threats, but many in the private sector pushed back on the new reporting mandates and regulations which were championed.
FINAL THOUGHTS
As we prepare for another peaceful, democratic succession of government, it is amazing to watch different public and private institutions work on topics like cyber defense for our nation.
Just as there are partisan and personal disagreements on who should get the credit for the Israel-Hamas ceasefire hostage deal, there are and will be finger-pointing and disagreements over cybersecurity successes and failures.
Nevertheless, this cyber topic remains a largely nonpartisan issue for now, despite differences in the best approaches to achieve desired security results. But heed the warnings, because we are a long way from declaring “cyber mission accomplished” for any president.
