Tech industry experts digest cybersecurity executive order
IT pros assess a last-minute cybersecurity executive order with new directives on a broad swath of topics, from cybercriminal sanctions to AI and identity management.
An 11th hour cybersecurity executive order from the Biden administration potentially lays the groundwork for policy under the incoming Trump administration, but it's unclear whether it's too little, too late.
The new cybersecurity executive order, issued Thursday, covered a wide range of concerns, including updates to previous White House directives on software supply chain security and cybercrime sanctions. The new order addressed minutiae such as protecting IP address numbers and user identities in federal digital systems, but also issued sweeping calls for pilot programs in areas such as AI cyberdefense for critical infrastructure systems.
Among cybersecurity experts, the initial reaction to the new order was confusion and trepidation about its timing, with less than a week before the Biden administration leaves office, and questions about how closely the next administration will follow it.
"When you look at the scope of it, it's clear this is not something that's been done recently," said Brian Fox, co-founder and CTO of software supply chain security management company Sonatype and a governing board member at the Open Source Security Foundation (OpenSSF). "I think what we're looking at is probably what the [Biden] administration's priorities would have been if they were staying in office."
It's possible the new administration could change course, but in the interim, "There is at least a course set on the rudder" for the Executive Branch in cybersecurity, Fox said. "It would probably take additional executive orders to undo this, so it helps create a default. … I do think there's some value in at least making it part of the public record."
Cyberdefense tends to be an issue with bipartisan support, but the priorities within that field vary by administration, said Joshua Corman, leader of a think tank project called UnDisruptable27, focused on cybersecurity threats at the nexus of water supply and healthcare accessibility.
"Better late than never, but whether it will survive and have continuity, custodianship, care and diligence in execution under the next administration is an open question," he said. "My hunch is it will likely not get [immediate] pushback, which means that at least some of this will stick."
Some cyberdefense priorities were already shared between the first Trump administration and the Biden regime, said Chris Hughes, chief security adviser at software supply chain security company Endor Labs and CEO at Acquia, a cloud and cybersecurity digital services firm.
"There were a lot of parallels between the two administrations [in] zero trust, software supply chain security [and] securing the defense industrial base," Hughes said. "There are going to be differences, in terms of how they treat commercial industry, but when it comes to critical infrastructure and dealing with nation states like China, I think those things are going to be very aligned."
Some parts of the new executive order could be designed to anticipate priorities under the new administration, Hughes said.
"A lot of people suspect that the incoming administration will be more lenient around AI," he said. "It's good to see that the Biden administration is leaning in here and looking to use AI for cyberdefense, rather than being really risk-averse, hands-off and slow to adopt."
However, ensuring cooperation between the federal government and software producers in the private sector will require the government to "walk the walk" more in cybersecurity after a year of high-profile breaches, Hughes said.
"With a lot of these things the government is asking industry to do, they've had a hell of a year themselves," he said. "They ask a lot of security and trust from the industry and their maturity around security, but federal agencies are having quite a rough go of it, too."
Cybercriminal sanctions for ransomware and beyond
A law enforcement action last year against an infamous ransomware gang was an impetus for new sanction guidelines in the new executive order, according to another industry watcher.
"The order's wording applies to identical resources -- sanctions, mitigation and incident reporting -- that were used against the LockBit ransomware gang in 2024," said Jon DiMaggio, chief security strategist at threat intelligence vendor Analyst1. "The new criteria will allow federal agencies [such as the U.S. Treasury Department's Office of Foreign Assets Control] to sanction entities that compromise the critical infrastructure sector, cause network disruptions, tamper with elections, cause a misappropriation of funds or economic resources and engage in ransomware attacks."
While ransomware was a primary driving factor behind the new executive order, the scope is broader than ransomware alone, DiMaggio added. He also attributed attacks against telecommunications and other critical sectors over the past several years as key drivers behind the order.
For example, in November, CISA and the FBI confirmed that Chinese nation-state actors compromised telecommunications providers to seal sensitive communications. The attacks, which aimed to spy on government and political leaders, were attributed to Salt Typhoon and affected AT&T, Verizon and Lumen Technologies.
"I believe sanctions are effective; however, this sounds more like a blanket statement, and I think it needs to focus on specific activities or groups/organizations/governments to be effective," DiMaggio said. "In other words, placing sanctions against all ransomware payments would be specific, but that's not what this is. … I'm unsure how the high-level direction of this order will affect current ransomware criminals."
AI's 'promise and peril' for critical infrastructure
Other sections of the cybersecurity executive order addressed critical infrastructure cyberdefense in response to other recent nation-state attacks such as those on water utilities by the Volt Typhoon nation-state threat group. The threat led CISA to issue an incident response guide for the water and wastewater sector last January.
The new executive order now calls for efforts to speed up the development of AI cyberdefense to meet this threat. Within 180 days after the completion of the Defense Advanced Research Projects Agency's 2025 Artificial Intelligence Cyber Challenge, the order directs the secretary of Energy, secretary of Defense, the director of DARPA and the secretary of Homeland Security to launch a pilot program on the use of AI to improve cyber defense of critical infrastructure in the energy sector.
The government has lagged private industry in the use of AI tools, so it's a step in the right direction, but short on details so far, said Chirag Mehta, an analyst at Constellation Research.
"The executive order is somewhat broader and less prescriptive with regard to AI [than other areas]," Mehta said. "It provides guidance on how to secure AI systems as the agencies start adopting AI. … We would expect to see more detailed AI security guidance in coming years."
Most large language model providers, including Anthropic and Google, are also working with the federal government to ensure that their systems don't have unintended consequences in revealing national secrets, Mehta said.
UnDisruptable27's Corman said AI security shows long-term promise, "but there's also peril," he said.
"Often when I hear, 'Oh, we're going to use AI,' you might as well substitute the phrase, 'Something magic happens,'" he said. "For even stuff like imagery, there's still a hallucination rate. Can we afford hallucinations? Imagine if 20% of the rivets on the Golden Gate Bridge hallucinate or fail weirdly, or 20% of surgical equipment explodes once implanted. We cannot allow such unreliability in safety-critical engineering spaces."
Corman said he was disappointed in the lack of more specific further guidance for private sector critical infrastructure organizations in this executive order and that it mentions energy but not water utilities. The "27" in UnDisruptable27 stands for 2027, which is when U.S. officials believe China could move against Taiwan, as well as against U.S. critical infrastructure if the government tries to stop it.
"I'm really shocked to see so little on lifeline critical infrastructure resilience," he said. "This presidency is likely to be a wartime presidency, and this will likely be our first hybrid conflict that affects U.S. citizens on U.S. soil. … The idea that people that sell to the federal government also sometimes sell to the private sector -- indirect trickle down resilience -- is not fast enough for the time horizons we face."
Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.
Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Dig Deeper on Compliance
-
![]()
Nvidia investigation signals widening of US and China chip war
By: Cliff Saran
-
![]()
Microsoft calls on Trump to ‘push harder’ on cyber threats
By: Alex Scroxton
-
![]()
Shadow AI poses new generation of threats to enterprise IT
By: John Burke
-
![]()
GenAI development should follow secure-by-design principles
By: Ed Skoudis
