Biden admin rushes to finish cybersecurity order after China hacks

By Katrina Manson and Jake Bleiberg 

The Biden administration is racing to put out an executive order meant to shore up US cybersecurity in its dwindling days in office, according to four people familiar with the matter. 

The executive order, which has cleared some internal hurdles and is close to being published, incorporates lessons from a series of major breaches during the Biden administration, including the most recent Treasury Department hack attributed to China, according people familiar with the matter who didn’t want to be named to discuss information that hasn’t yet been made public. 

 

Among the measures, it directs the government to implement “strong identity authentication and encryption” across communications, according to an undated draft of the order seen by Bloomberg News. In the December Treasury hack, intruders accessed unclassified documents stored locally on laptops and desktop computers. Encrypting information sent by email and worked on in the cloud could help safeguard it from hackers who successfully access systems but then cannot open specific documents.

 

 

The US National Security Council didn’t respond to a request for comment. 

 

In that Treasury incident, a sophisticated Chinese hacking group known as Silk Typhoon is believed to have stolen a digital key from BeyondTrust Inc., a third-party service provider, and used it to access unclassified information relating to potential sanctions actions and other documents, according to two people familiar with the matter. The department didn’t immediately respond to a request for comment on the identity of the hackers, which hasn’t been previously reported. 

 

The draft executive order also instructs the government to develop guidelines to better secure cryptographic keys used by cloud software contractors, including by storing them in hardware security modules, a physical device that stores digital keys to keep them safe. Under the executive order, federal contractors would also be required to better manage access.

 

The draft order also aims to clarify whether software providers follow basic cybersecurity hygiene — such as using multi-factor authentication and complex passwords — that they claim to incorporate. 

 

“In some instances, providers of software to the federal government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the government at risk of compromise,” the draft states. 

 

Whether President-elect Donald Trump will leave the executive order in place when he takes office remains unclear, though he’s vowed to pare back on federal regulation. Trump has signaled that he intends to repeal another Biden administration order intended to provide guardrails around artificial intelligence.