By AJ Vicens
DETROIT (Reuters) - President Joe Biden is calling for tighter cybersecurity standards for federal agencies and contractors in a new executive order due to be published in the coming days, pushing reforms designed to address repeated Chinese-linked cyber operations and cybercriminal operations, according to a draft of the order seen by Reuters.
The order is set to land in the waning days of Biden’s presidency, during which several high-profile, Chinese-linked hacks occurred, according to the U.S. government and cybersecurity research groups. The alleged activity targeted critical infrastructure, government emails, major telecom firms and, most recently, the U.S. Treasury Department. Beijing has rejected the allegations.
Biden's proposal calls for tougher standards for secure software development, the ability to verify that those standards have been met, and a process for the Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the process, according to the draft.
Vendors will have to provide secure software development documentation to be evaluated and validated by CISA through the agency's software attestation program. Attestations that "fail validation" could be referred to the attorney general for “action as appropriate,” according to the draft.
Tom Kellermann, senior vice president of cyber strategy at cybersecurity company Contrast Security, said the attestation provisions do not go far enough but that he “applauds” the efforts to push more secure software development. The timelines for implementation laid out by the order seem “arbitrary,” he said, given the immediacy of the threats from China, Russia and powerful cybercriminal syndicates.
“They’re already here,” Kellermann said. “We are dealing with literally an insurgency across critical infrastructure and U.S. government agencies that has been stoked by the Russians and Chinese.”
The order also mandates the development of guidelines to securely manage access tokens and cryptographic keys used by cloud providers. Chinese-linked hackers abused this method to access email accounts used by top U.S. government officials in May of 2023, Microsoft (NASDAQ:MSFT) said at the time.
Brandon Wales, vice president of cybersecurity strategy at cybersecurity company SentinelOne (NYSE:S) and formerly a top CISA official, told Reuters the order builds on ongoing work over the last five years to develop capabilities, get the right authorities, and funding. While the threat from China looms large – a “pacing threat” that is “driving the urgency and focus across the government” – the U.S. government and the private sector face a plethora of threats that need to be addressed.
“It makes sense to continue to look for ways to get the most value out of capabilities that have been built over the past two administrations,” Wales said.
The White House declined to comment and CISA did not respond to a request for comment.