Outgoing US president Joe Biden set a cyber trap for the incoming Trump administration yesterday, with a lengthy executive order aimed at “strengthening and promoting innovation in the nation’s cybersecurity”.
With space and cloud-based systems specifically called out in the order, Biden's order has potential to directly impact some of Trump’s new friends in Silicon Valley.
The order coincided with a flurry of announcements from CISA, including a call to “Close the Software Understanding Gap” and a valedictory speech from the agency’s outgoing chief, Jen Easterly, which banged the drum for expanding the agency’s workforce.
But with the incoming administration committed to stripping down the [deep] state and junking regulation, it’s hard to see Trump 2.0 leaving the order in place or paying too much heed to CISA.
Which could leave the new occupant of the White House a hostage to fortune, or at leasts shouts of "I told you so", should the US experience a catastrophic cyber reversal on his watch.
Biden’s executive order set out “additional actions to improve our Nation’s cybersecurity, focusing on defending our digital infrastructure, securing the services and capabilities most vital to the digital domain, and building our capability to address key threats, including those from the People’s Republic of China.”
It also demanded improved accountability from software and cloud service providers, strengthened security of Federal comms, and “promoting innovative developments and the use of emerging technologies for cybersecurity” across the government.
And it called for better transparency in third party software supply chains and moves by the Federal government to “adopt secure software acquisition practices and take steps so that software providers use secure software development practices to reduce the number and severity of vulnerabilities in software they produce.
This was accompanied by multiple deadlines, starting with new contract language for Federal software suppliers within 30 days, under the auspices of CISA. It also lays out requirements on space systems and cybersecurity, including both Federal and civilian operations..
This all chimed in with CISA’s call, in partnership with other agencies such as DARPA and the NSA, for “decisive and coordinated action by the US government to obtain a deep, scalable understanding of software controlled systems.”
But will it chime in with the Trump 2.0 agenda?
The incoming president’s platform did cite cyber, promising that “Republicans will use all tools of National Power to protect our Nation’s Critical Infrastructure and Industrial Base from malicious cyber actors. This will be a National Priority, and we will both raise the Security Standards for our Critical Systems and Networks and defend them against bad actors.”
But the Trump manifesto also takes aim at “costly and burdensome regulations” and “wasteful federal spending”. So, stringent obligations on cloud or software providers don't seem to be part of the programme
Stephanie Pell, at the Brookings Institution predicted last month that “A new Trump administration is likely to reject aspects of the Biden administration’s cyber strategies, while continuing others.”
This is likely to mean more “defend forward”, offensive cyberactivity, she predicted, while “industry regulation and liability” is likely to be targeted.
For the last few years, Biden’s cybersecurity strategy aimed to shift the burden away from small business, consumers, and local entities such as schools and hospitals.
But as Pell points out, “At this juncture, it’s fair to say that Trump 2.0 is likely to reject those aspects of any strategy that entails more regulation of the private sector.”
