An upcoming executive order soon to be signed by President Joe Biden will include language around using artificial intelligence for cyber defense, along with efforts to broadly tighten the cybersecurity of federal technologies, according to a summary of the executive order shared with POLITICO.
The executive order is the third that Biden will have signed while in office and is aimed at fortifying the nation’s cybersecurity through the use of AI and much-needed upgrades to federal security standards. This order will represent a grab-bag of final cyber requirements before Biden departs.
It is unclear whether President-elect Donald Trump will allow the order to remain in place once he takes office, as he has not yet signaled his intentions for strengthening cyber policies or agencies, though cybersecurity issues are typically of bipartisan concern. The order comes as federal agencies are continuing to assess the fallout from a massive recent China-backed intrusion into U.S. telecommunications providers that allowed hackers to spy on the phones of several high-ranking U.S. officials, including Trump and Vice President-elect JD Vance.
According to the summary, the executive order would establish a program at the Pentagon for using AI models to plus-up cyber defense efforts. In addition, the executive order would create a pilot program in the energy sector for using AI to enhance cybersecurity.
This would likely build upon work by the Pentagon’s Defense Advanced Research Projects Agency to investigate how to use AI to build up cybersecurity of critical systems. Anne Neuberger, deputy national security adviser for cyber and emerging technology, told POLITICO in August that she was working to connect the Energy Department and DARPA to put the findings into use.
The order also addresses wider issues, like software security, which in recent years has become a headache for the Biden administration. Multiple major cyber incidents have been caused by hackers exploiting vulnerabilities in faulty software used broadly by federal agencies and private companies alike.
The executive order would change federal acquisition regulations to require software companies providing their products to federal agencies to submit documentation to the Cybersecurity and Infrastructure Security Agency proving they have implemented strong cybersecurity efforts. This is a formalization of the process that CISA rolled out early last year.
Cloud security is another focus of the executive order. The order would require the Federal Risk and Authorization Management Program, or FedRAMP, to develop policies to push private sector cloud service providers to step up the security of their systems, particularly if they are securing federal data.
Among the provisions is a requirement, first reported by POLITICO, for federal agencies to move to only purchasing internet-connected devices that have been given the voluntary Cyber Trust Mark label. The program, overseen by the Federal Communications Commission, allows companies to obtain a label certifying the cybersecurity of their products if they are built to specific standards from the National Institute of Standards and Technology.
The summary indicated that there would be efforts to create “digital identity documents and validation services,” though did not go into further details. NextGov reported earlier this week that this will involve a push for agencies to use more digital documents, like driver’s licenses, to help speed up the process of applying for public benefits.
The order is also calling to step up the cybersecurity of U.S. satellites, an issue increasingly in the spotlight as nations like Russia and China threaten U.S. assets in space. Another clause in the order would establish working groups at CISA to help with conducting more threat hunting in federal networks, and end point detection and response.
A spokesperson for the White House National Security Council was not immediately able to comment on the details of the executive order, or when Biden plans to sign it. Neuberger, who spearheaded the order, is planning to step down from her role on Jan. 17 at the end of next week, limiting the timeline for signature.
Trump has not commented on the pending order publicly, though he did sign an executive order to strengthen critical infrastructure cybersecurity in 2017.
Read the full article here