Four days before leaving office, US President Joe Biden issued a sweeping cybersecurity directive ordering innovations in the way the government monitors its networks, purchases software, uses synthetic intelligence and punishes foreign hackers.
The 40-page executive order unveiled Thursday is the latest attempt by the Biden White House to revive efforts to harness the security benefits of AI, implement virtual identities for U. S. citizens and close loopholes that have helped China. , Russia and other adversaries to penetrate. government systems.
The order “targets America’s virtual foundation and also puts the new administration and the country on the path to continued success,” Anne Neuberger, Biden’s deputy national security adviser, told reporters Wednesday about cybersecurity and emerging technologies.
Looming over Biden’s directive is whether President-elect Donald Trump will pursue any of those projects after he is sworn in on Monday. None of the highly technical projects ordered in the order are partisan, however, Trump’s advisers would likely prefer other approaches (or timelines) to address the disorders known through the order.
Trump hasn’t named any of his top cyber officials, and Neuberger said the White House didn’t discuss the order with his transition staff, “but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period.”
At the heart of the executive order is a set of mandates for government networks, based on lessons learned from recent primary incidents, namely security lapses through federal contractors.
The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.
The order gives the Commerce Department eight months to compare the cyber practices most commonly used in the business world and the guidance based on them. Soon after, such practices would be mandatory for corporations wishing to do business with the government. The directive also begins updating the National Institute of Standards and Technology’s Secure Software Development Guidelines.
Another part of the directive focuses on the protection of cloud platforms’ authentication keys, the compromise of which opened the door for China’s theft of government emails from Microsoft’s servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days.
To protect federal agencies from attacks that rely on failures in Internet of Things devices, the ordinance sets a January 4, 2027 deadline for agencies to purchase only IoT devices for customers under the new Cyber brand. US Trust Mark
Another component of the order strengthens CISA’s ability to monitor cyberattacks within the government by leveraging security software operated through other agencies. It’s an attempt to close the visibility gaps that adversaries have effectively exploited in intrusions, adding the 2020 SolarWinds hack. The order requires agencies to provide CISA with direct access to their platforms. -security forms and allow CISA to carry out risk-finding activities without prior notice on its networks.
“If we locate a specific strategy that a foreign government is hacking into a specific federal agency,” Neuberger said, “that now provides CISA with centralized visibility to track all of the agency’s systems and make sure that it allows us to largely protect enemies. “to this attack. “
AI-related security dangers and opportunities play a major role in the decree. The document directs the Departments of Energy and Homeland Security to publish a pilot program to use AI to assist energy infrastructure, with the goal of automating things like vulnerability detection and patching. The Defense Department is expected to launch a program to use “advanced AI models” for cyber defense.
Biden also needs DHS, Commerce, and the National Science Foundation to prioritize studies on topics such as how humans and AI teams can coordinate to analyze cyber threat data, how to ensure the security of AI-generated code, how to design safe AI models and how to save it and from cyber incidents involving artificial intelligence systems.
Biden’s executive order attempts to boost agencies’ use of virtual identification documents to expedite citizenship and reduce waste and fraud. The directive asks agencies to “consider accepting virtual ID documents” as proof of eligibility to receive public benefits. The Commerce Department would have 270 days to provide guidance to help agencies do so.
Other provisions in the executive order require government recommendations for securing open-source software; updates to cyber requirements in contracts for space systems; contracting changes to ensure that new technology supports post-quantum cryptography; and the use of encryption in DNS technologies, email systems, and voice and video conferencing platforms. There is also a provision requiring OMB to help agencies reduce risks associated with concentration in the IT market—a not-so-veiled shot at Microsoft.
The order also lowers the bar for the government to sanction others who conduct cyberattacks on U. S. critical infrastructure, potentially easing obstacles to implementing one of Washington’s favorite responses to primary strikes.
In your inbox: Will Knight’s AI Lab explores advances in artificial intelligence
Nvidia’s $3,000 “AI Personal Supercomputer”
Big story: the school shootings were fake. the real terror
The health monitoring boom only gets weirder from here
Event: Join us for WIRED Health on March 18 in London
More Apps from WIRED
Reviews and Guides
© 2025 Condé Nast. All rights reserved. WIRED may earn a portion of sales from products purchased through our site through our partnerships with retailers. Fabrics on this site may not be reproduced, distributed, transmitted, cached or otherwise used except with the prior written permission of Condé Nast Ad Choices.