An upcoming executive order soon to be signed by President Joe Biden will include language on the use of artificial intelligence for cyber defense, along with efforts to vastly improve the cybersecurity of federal technologies, according to a summary of the executive order shared with POLITICO shared.
The order has been in the works since at least last summer and will be the third and final executive order addressing cybersecurity policy issues during Biden’s remaining term. It will be a sampling of the latest cyber requirements before Biden leaves, although its future under the new Trump administration is uncertain as Trump has not yet made clear his intentions to strengthen cyber policy.
According to the summary, the executive order at the Pentagon would establish a program to use AI models to supplement cyber defense efforts. Additionally, the executive order would create a pilot program in the energy sector for using AI to improve cybersecurity.
This would likely build on work by the Pentagon’s Defense Advanced Research Projects Agency to explore how AI can be used to build the cybersecurity of critical systems. Anne Neuberger, deputy national security adviser for cyber and emerging technology, told POLITICO in August that she was working to connect the Energy Department and DARPA to put the findings to use.
The order also addresses broader issues such as software security, which has become a headache for the Biden administration in recent years. Several major cyber incidents have been caused by hackers exploiting vulnerabilities in defective software used by both federal agencies and private companies.
The executive order would amend federal acquisition rules to require software companies that supply their products to federal agencies to submit documentation to the Cybersecurity and Infrastructure Security Agency demonstrating that they have implemented strong cybersecurity efforts. This is a formalization of the process that CISA rolled out early last year.
Cloud security is another focus of the executive order. The order would require the Federal Risk and Authorization Management Program (FedRAMP) to develop policies to incentivize private sector cloud service providers to improve the security of their systems, especially if they protect federal data .
Among the provisions is a requirement, first reported by POLITICO, for federal agencies to purchase only internet-connected devices that have been given the voluntary Cyber Trust Mark designation. The program, overseen by the Federal Communications Commission, allows companies to obtain a label that certifies the cybersecurity of their products if they are built to specific standards from the National Institute of Standards and Technology.
The summary indicated that efforts would be made to create “digital identity documents and validation services,” but did not go into further detail. NextGov reported earlier this week that this will mean a push for agencies to use more digital documents, such as driver’s licenses, to speed up the process of applying for public benefits.
The order also calls for increasing cybersecurity of U.S. satellites, an issue that is increasingly in the spotlight as countries like Russia and China threaten U.S. assets in space. Another clause in the order would establish working groups at CISA to help conduct increased threat hunting in federal networks, as well as detect and respond to endpoints.
A White House National Security Council spokesperson could not immediately comment on the details of the executive order or when Biden plans to sign it. Neuberger, who spearheaded the order, plans to leave her position at the end of next week on Jan. 17, narrowing the timeline for signing.
It is unclear whether President-elect Donald Trump will allow the order to remain in effect once he takes office, although cybersecurity issues are typically a bipartisan concern, especially as state-sponsored cyber intrusions remain major national security issues. Trump has not publicly commented on the pending order, although he did sign an executive order in 2017 to strengthen the cybersecurity of critical infrastructure.
