The Biden Administration has established a new executive order with intention to bolster the nation’s cybersecurity. This executive order includes provisions for:

• Improving software supply chain transparency and security
• Securing federal communications
• Boosting federal cybersecurity 
• Strengthening digital identities
• Utilizing artificial intelligence (AI) in cyber defense
• Increasing sanction power against nations and individuals 
• Establishing quantum-resistant encryption

Below, security leaders discuss the executive order and its implications. 

Security leaders weigh in 

Casey Ellis, Founder at Bugcrowd:

This final executive order has been somewhat of an open secret in Washington, with drafts being circulated to a limited audience for a few weeks now. The Whitehouse, and especially departments like ONCD, have built up a lot of technical expertise on the topics covered off by this EO over a particularly transformational time in technology, and many of those involved are political appointees or staffers who’s tours are coming to a close. Despite the strong chance that the order will be promptly reversed with the administration change, this EO is a clear effort to ensure that the core cybersecurity, safety, and International Relations equities conclusions developed over the past four years are a part of the United States policy zeitgeist.

Marcus Fowler, CEO of Darktrace Federal:

It is encouraging to see a recognition of the huge potential of AI-powered cybersecurity in this latest executive order. While AI presents new challenges for cybersecurity by enabling greater speed, scale and sophistication of attacks, it also serves as our best defense.  

The threat landscape continues to increase in sophistication in the age of AI. We are seeing a rise in novel multi-stage and multi-domain attacks that take advantage of a lack of visibility and siloes to move undetected between systems. The adoption of AI-powered cybersecurity tools — such as solutions with anomaly-based detection capabilities that can detect and respond to both known and novel threat — are instrumental in keeping both public and private sector organizations secure. 

While the order calls out AI’s ability to rapidly and effectively identify threats, greater emphasis and prioritization should be placed on AI’s role in stopping them as well. Specific types of AI can perform the micro decision-making necessary to respond to and contain malicious behavior in seconds. Private-Public partnerships are increasingly critical as some of the key areas of expansion and AI innovation are already occurring in the commercial space. Specifically, effective human-AI collaboration is augmenting stretched security teams, helping organizations to stay one step ahead of rising threats.  

We look forward to working with the next administration on the huge potential of AI-powered cybersecurity to improve the nation’s security. Together, we can help realize AI’s transformative potential in improving the cybersecurity posture of our federal agencies and beyond.

Jason Soroko, Senior Fellow at Sectigo:

Based on the text of the executive order, each federal agency must transition to quantum-resistant cryptography for all new systems and communications within a specific, near-term timeline — generally set at 18 to 24 months from issuance. The order also mandates that within this same period, agencies develop a detailed plan to retrofit or replace any legacy systems that cannot meet new standards.

In practical terms, this means agencies cannot deploy new encryption tools unless they align with NIST-approved quantum-resistant algorithms.

The order also imposes strict standards on the private sector, especially software suppliers. Firms vying for federal contracts must prove secure development practices and compliance with rigorous testing, patching, and reporting obligations. This can have the effect of forcing suppliers to harden their products overall, not just for offerings meant for the federal government.

James Yeager, VP of Public Sector at Abnormal Security:

Biden’s Executive Order puts a large focus on AI use for cyber defense — no surprise, given AI’s powerful potential to better anticipate and mitigate national security threats. However, limiting the program to the Pentagon (as outlined in the EO summary) is disconcerting. It’s potentially a missed opportunity to additionally support the Executive Branch and FCEB agencies, many of which are on the frontlines of grappling with increasingly sophisticated and targeted cyberattacks. 

Additionally, the EO’s proposed establishment of working groups to conduct more threat hunting and EDR in federal networks is encouraging. But threat hunting goes hand in hand with visibility, and it will be interesting to see what guidance CISA releases around how visibility is defined and promoted. 

I think there is an opportunity here to open up the aperture when it comes to defining ‘visibility.’ For example, email continues to be the number one threat vector facing organizations today, and is the root cause of the vast majority of federal incidents and breaches. Expanding visibility into systems like email could be necessary precursors for conducting effective threat hunting in federal networks. 

Lastly, the push for digital identity documents and validation services promises enhancements to the process of applying for public benefits, but comes with potential risks. Public sector organizations may need to prepare for spikes in identity-based fraud, for example, and figure out how they protect a deluge of PII from being exploited by adversaries.