New Executive Order Bolsters the Nation’s Cyber Defenses
By: Sheila Armstrong, Corey Bieber, Guillermo Christensen, Brian Hopkins, and J.D. Koesters
In a significant move to bolster the United States’ cybersecurity framework, President Biden issued an executive order (EO) on 16 January 2025 titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” days before leaving the White House. This comprehensive directive outlines measures designed to enhance the security of federal systems, improve transparency in third-party software supply chains, and leverage emerging technologies to fortify cyber defenses.
Combating Cyber Crime, Fraud, and Ransomware
The EO includes several provisions designed to address the prevalence of cybercrime, including fraud and ransomware attacks, which have been on the rise in recent years. For example, the EO addresses the use of stolen and synthetic identities in defrauding public benefits programs. It also encourages the use of digital identity documents for identity verification, provided these requirements adhere to principles of privacy and interoperability. The EO also promotes the development of “Yes/No” validation services to reduce identity fraud, allowing for privacy-preserving verification methods.
The EO also includes specific measures aimed at countering ransomware attacks. It amends Executive Order 13694 of 1 April 2015 to block property and interests in property of persons engaged in significant malicious cyber-enabled activities, including ransomware attacks. This revision allows for the freezing of assets of individuals and entities involved in such activities, effectively creating a financial deterrent against ransomware payments.
Enhancing Third-Party Software Security and Improving Federal Systems’ Cybersecurity
The EO mandates rigorous security standards for software providers to the federal government. Within 30 days, the Office of Management and Budget, in consultation with the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency (CISA), will recommend contract language requiring software providers to submit secure software development attestations and artifacts, in addition to the Software Bill of Materials currently required. This aims to ensure that only software adhering to secure development practices is used in federal systems, thereby reducing vulnerabilities.
Federal agencies are required to adopt proven security practices, including advanced identity and access management technologies. The directive emphasizes the importance of phishing-resistant authentication methods such as WebAuthn. Furthermore, CISA is tasked with developing technical capabilities to monitor threats across federal systems, which includes gaining timely access to data from agency endpoint detection and response solutions.
The EO directs the modernization of IT infrastructure and networks supporting federal missions, emphasizing the adoption of zero trust architectures and other advanced cybersecurity practices. It also seeks to establish minimum cybersecurity requirements for businesses, thereby raising the baseline of cybersecurity across various sectors.
This EO represents a comprehensive approach to strengthening the nation’s cybersecurity defenses. By setting stringent requirements for software providers, enhancing federal system security, and leveraging emerging technologies, the administration aims to create a more resilient cyber infrastructure. The provisions to combat ransomware by targeting the financial aspects of cybercrime demonstrate a proactive stance in addressing one of the most pressing cybersecurity threats facing the nation today.
The K&L Gates US National Security Law and Policy and Data Protection, Privacy, and Cybersecurity groups are actively monitoring these developments and will publish additional guidance regarding these policy initiatives soon.