Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
President Biden issued an executive order on Thursday that requires software companies that sell their products to the federal government to prove they have iron-clad security that can thwart Chinese intelligence agencies, Russian ransomware gangs, and cryptocurrency thieves. North Koreans and Iranian spies.
But it’s unclear whether the Trump administration, which plans to repeal the regulations even as it vows to take China personally, will keep the cybersecurity laws in place.
The order, which came with four days left in Mr. Biden’s term, is the latest in his administration’s four-year struggle to protect America’s infrastructure and overcome growing regulatory burdens. .
But after four years of that daily confrontation – where a new cold war with China is unfolding – hackers often come out ahead. Over the past two years, the Chinese have repeatedly successfully hacked the country’s internet, cable, telecommunications systems and, in recent weeks, the Treasury Department. public money. These attacks have led the incoming Trump administration to complain that America’s defenses are vulnerable and lack sufficient deterrence capabilities.
As Mr. Biden’s list of new regulations and orders grows longer, covering issues such as East Coast drilling and removing Cuba from the terror list, Mr. Trump’s advisers complain that in the current administration is waging an angry campaign to shut them out of their politics. and mandate.
Some will reverse in the coming weeks, making many of Mr. Biden’s trips little more than political stunts. But the new cybersecurity measures add a wrinkle to that debate, which could create a conflict between the Trump administration’s vow to detente and its promise to protect against Chinese intrusions. American network.
The new rules, for the first time, require companies to prove that the software they sell to the federal government meets basic cyber security requirements, and to publish evidence of those steps. He cited an “active and persistent cyber threat to the United States” and a wave of attacks from other countries and criminal groups.
Despite the requirements in the 50-page order, Mr. Biden has abandoned the administration’s approach to encouraging private industry to invest in cybersecurity through voluntary programs and public and private partnerships.
He and his assistants concluded that the only way for companies to call for strict cyber security measures is to demand these measures, and force companies to disclose the correct process. That way, when another embarrassing breach occurs, it will be clear if the companies have let their guard down.
The new order will expand federal jurisdiction over the software supply chain. The White House, which often uses existing officials, has already set rules for pipelines, railroads and hospitals.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies who led that drive, told reporters Wednesday that the executive order, which has been in the works for months, is ” designed to put the country on the path to a nationally defensible public and private sector network”.
It was a bitter experience. Four years ago, when Mr. Biden was president-elect, Russian spy agencies accessed code written by SolarWinds, a company that sold network management software to governments and Fortune 500 companies. SolarWinds updated this software and distributed it to its customers, gaining access to company secrets and conducting audits with federal agencies such as the Treasury Department. and Trade of Russia.
Mr. Biden has condemned the Russians, and his meeting with President Vladimir V. Putin as president in Geneva in 2021, over the Russian ransom that eased the Colonial Pipeline, which provides gas and oil on the East Coast. After that meeting, Ms. Neuberger pressed agencies around the government to develop new requirements for companies doing business with them, hoping to use the federal contracting process to force changes in the way they develop enterprise software.
But the effort did not go far. The company claimed that the product met the new requirements, but never had to prove its claims. When hackers linked to China’s intelligence agency recently breached the Treasury Department, gaining access to thousands of unclassified documents, they appeared to have gained access through software provided by They are BeyondTrust vendors. Federal officials said the company had represented itself as meeting cybersecurity requirements, but the new rules forced it to take those steps.
“We told the software companies to just tell us they use it,” Ms. Neuberger said of the old federal rules. “I think we’ve seen, in the last four years, we really need evidence.”
BeyondTrust has not said much about the episode, except to briefly state that it “took steps to address the security risk in early December 2024” and “notified a limited number of customers.” He declined to discuss how the offense occurred.
The country’s biggest telecommunications companies also haven’t said much about how China’s intelligence agencies have discovered new, almost invisible needles in their networks. The discovery allowed access to some of the government’s most secretive phone-tapping systems with a court order as well as undisclosed conversations between President-elect Donald J. Trump and the Vice President-elect JD Vance. (It is not clear whether the agencies took advantage of this access.)
“Following headline-grabbing cyber attacks of the past four years, such as China’s crackdown on Microsoft’s cloud, Russia’s takedown of commercial satellite companies and ransomware attackers forced the hospital to postpone the operation,” said Mrs. Neuberger, “it took us seven. spent months scrutinizing every hacking incident to determine exactly how the attackers got into the gateway.
The new rules are likely to bring no change in the regulatory action of telecommunications companies, known as “Salt Typhoon.” They could have helped protect the power grid and water pipelines from other types of hacks linked to China, which were designed to disable these systems in the US to prevent aid to Taiwan in the event of an attack. military throughout the island.
According to the most recent guidelines, all companies paid more than 100 billion dollars that the federal government spends each year on software will be subject to the requirements. Violators may be referred to the Department of Justice for civil prosecution.
The new rules will also impose restrictions on space systems, after Russia took out Europe’s satellite communications system by attacking its modems on the ground.
But the implementation of the new order will be left to the Trump administration, which must implement the deadline, starting in 120 days. The important moment will come, if the company decides to test if Mr. Trump.
Ms. Neuberger noted that the Biden administration adopted many regulations and orders left over from the previous Trump administration. He said he hoped the government would return “to do the same.” But it is not certain.
And while Ms. Neuberger recently noted that building a U.S. network is a bipartisan effort, incoming national security adviser Michael Waltz spoke more about responding to China in shocking online activity.
The same goes for John Ratcliffe, who was chosen by Mr. Trump to be the director of the CIA. Mr. Ratcliffe said at Wednesday’s confirmation hearing that the United States has witnessed “an attack across a digital border from halfway around the world, in a matter of seconds and a click.” He said America’s ability to prevent such an attack has been reduced.
“The deterrent effect must affect our adversaries when they do it,” he said.
