President Biden’s last-minute, expansive cybersecurity executive order, which touches everything from software development to artificial intelligence and uses the strength of the federal government’s $100 billion in IT spending to bend vendors in its direction, is getting relatively good reviews, with some in the security field seeing some misses.

There also are questions about its durability with the Trump Administration taking over on January 20, given its anti-regulation stance and its general disagreements with the outgoing regime.

The executive order (EO) is a parting shot for a White House that issued its first one months after coming into power in the wake of the ransomware attack on Colonial Pipeline that disrupted gas distribution in the country, particularly in the Southeast.

The latest EO puts a focus on the growing ransomware incidents and attacks by state-sponsored threat groups from such countries as Russia, China, North Korea, and Iran on critical infrastructure and private companies, such as Microsoft.

The EO gives the United States greater leeway to level sanctions after threat groups that target critical infrastructure. This comes as the number of attacks against such sectors as health care, water systems, energy grids, and telecommunications. China in particular has ramped up its efforts, with attacks on telecom giants like AT&T, Verizon, and T-Mobile and other critical infrastructure sectors.

Secure Software, AI, and Quantum

There also are points to regarding software used by federal agencies and software supply chains that go beyond the Secure By Design program implemented by CISA. Software makers not only will have to attest to the security of their products but also prove that their software comply with requirements that will be drawn up.

Biden also wants to federal government to be able to respond rapidly to cyberthreats and to begin addressing issues regarding advanced technologies like AI and quantum computing. The EO calls on the government to develop AI tools for detecting and patching software vulnerabilities and detecting threats and to create public-private partnerships to use AI to better protect critical infrastructure.

Government officials in the United States have said quantum computers in the wrong hands pose a national security threat to the country, including with the ease they likely will have in breaking current encryption standards.

‘A Bold Step’

“President Biden’s final cybersecurity executive order takes a bold step in addressing the evolving threats our nation faces, particularly from adversarial states like China, Russia, and North Korea,” said Andrew Borene, executive director of global security for Flashpoint and a former senior official with the U.S. Office of the Director for National Intelligence (ODNI). “With its focus on secure software standards, emerging technologies, and critical infrastructure, the order demonstrates a clear understanding of the challenges at hand and the need for decisive action.”

Eric Schwake, director of cybersecurity strategy at Salt Security, “marks a notable advancement in enhancing national cybersecurity, targeting vital areas such as software supply chains, sanctions, and the application of AI in cyber defense. This all-encompassing strategy recognizes the shifting landscape of cyber threats and emphasizes the importance of proactive steps to safeguard critical infrastructure and national security.”

Schwake pointed to several points in particular, including the need to protect APIs – important for everything from enabling remote monitoring and data exchange to automation – to secure the software supply chain, and using AI to bolster cybersecurity.

AI a Key Point

Others also called out the issue of AI, both as a tool to improve protections and as a threat in the hands of bad actors.

“While the order calls out AI’s ability to rapidly and effectively identify threats, greater emphasis and prioritization should be placed on AI’s role in stopping them as well,” Darktrace Federal CEO Marcus Fowler said. “Specific types of AI can perform the micro decision-making necessary to respond to and contain malicious behavior in seconds.”

Fowler also noted that private-public partnerships will be critical, given the innovation happening in the private sector, particularly in growing use of AI to augment already stretched security teams.

Christian Geyer, CEO and founder of datamining firm Actfore, said that staying at the forefront of AI development will increase the United States’ national security and urged that government leaders keep committed to improving cybersecurity both in technology innovation and legislative efforts.

“Although the pace of technological advancement may sometimes outstrip current legislation, this presents an opportunity for the U.S. to strengthen its regulatory frameworks and stay ahead of potential threats,” Geyer said.

Bolstering the Supply Chain

Strengthening the software supply chain also was a hot topic. Sean Costigan, managing director of resilience strategy at Red Sift and head of NATO’s Defense Education Enhancement program, said it was important to remember that much of EO is written as guidance. However, Costigan noted that EO’s focus on software security, adding that “poor code and insecure devices introduce vulnerabilities at scale, and this order helps make software secure by design and default.”

He also said reiterated that the scale of the U.S. government’s presence in the IT market gives it considerable sway in making things happen. It is “the primary steward for sensitive and classified information and, as the world’s largest customer, has the power to influence markets and how things are made. Poor cybersecurity has clear negative impacts on economic and national security, while the majority of critical infrastructure is privately held.”

Brian Reed, senior director of cybersecurity strategy at Proofpoint, said that “the directive’s call for accountability from suppliers, vendors, and third parties in supply chain security sets a new standard, especially for vendors selling to the U.S. federal government. Transparency is no longer simply a nice-to-have – it’s now a mandate.”

Questions Raised

There were concerns. Gary Barlet, public sector CTO at Illumio and a former federal CIO, said there that giving CISA the ability to run pen tests on federal agencies’ networks could be a “recipe for disaster” and that the agencies would be on the hook for any fallout.

The EO is requiring that software provides who sell to government agencies to share information from their tools with CISA, said Tim Erlin, security strategist at Wallarm.

“When requiring compliance from software vendors, there’s always a risk that the cost of compliance will discourage some vendors from doing business with the government,” he said. “The requirements have to be worth the risk, and with cybersecurity, they often are. Still, it’s possible for compliance to have a chilling effect on innovation.”

There’s Always Politics

What remains to be seen is what happens to the EO and other federal-level cybersecurity efforts with the new administration. Most are taking a wait-and-see approach. Red Sift’s Costigan said such issues as improving encryption and authentication practices and sanctioning attackers tend to be bipartisan.

“While there are likely some who will be primarily concerned about perceived regulatory overreach, these long-standing cybersecurity issues bridge administrations,” he said. “Nonetheless, efforts to further move the private sector to commit to a set of minimum cybersecurity standards may be closely scrutinized by the incoming administration.”

Illumio’s Barlet said the EO “provides an opportunity to bring renewed focus and energy to government technology by building on the existing foundations and progress.”

However, whether those opportunities are realized will depend on the Trump Administration, Barlet said.

The key now is keeping the momentum going, Proofpoint’s Reed said.

“Cybersecurity policy and mandates have garnered bipartisan support from both Democrat and Republican administrations that recognize the pivotal role it plays in national security,” he said. “Hopefully, this bipartisan consensus will continue to support the future of our national security efforts alongside the recognition of CISA’s important contributions. These efforts must be resourced, prioritized, and executed consistently, regardless of political shifts. Cybersecurity isn’t just a checkbox; it’s a marathon.”