Today brings us the Biden administrations last Executive Order on cyber. It contains some improvements to policy surrounding emerging technologies such as AI and Post Quantum Cryptography, additional authorities to go after threat actors, and some good signal that USG is watching threat actor activity closely 1/n

whitehouse.gov/briefing-room/…

First, this EO directs USG to do more R&D with AI for cyber defense in areas such as vulnerability discovery, patch management, and threat hunting. These are all areas ripe for scale and automation. It also calls for building and publishing more labelled cyber specific data sets, and leveraging AI in defense of critical energy infrastructure. 2/n

The discourse around AI and cyber has substantially improved over the last few years. We’ve gone from absurd doomsday scenarios involving autonomous 0-day engines to embracing the idea that AI may begin to reverse the defenders dilemma. Given how bad the current situation in cyber is (as evidenced by the very intrusions referenced by the EO), I remain convinced AI holds far more uplift for defenders. Let’s keep the momentum in this direction. 3/n

This EO makes clear that USG is paying close attention to adversary tactics in recent Salt/Volt Typhoon campaigns, and revisiting old policies accordingly. The USG can and should respond to China and other adversaries using all instruments of power within its reach. But China isn’t the only adversary capable of compromising these targets, so without fixing the underlying vulnerabilities another attack is just a matter of time. 4/n

To address some of those vulnerabilities the EO adds requirements for E2EE for USG communications. Video conferencing is called out specifically, likely because a single unencrypted dial-in user downgrades the security of the call for everyone. This is a long overdue and welcome change. While some people love email, I don’t think it can be secured and I wish it were possible to replace entirely with E2EE messaging. The COMSEC mission is critical, but the internet today looks very different from the era when current policies were written. 5/n

It also adds requirements for modern phishing resistant authentication schemes (e.g. FIDO, passkeys), requires NIST to update and develop guidance on securely developing and deploying software, and attempts to modernize how federal networks are managed. Unfortunately the latter is always easier said than done. It requires USG software vendors to provide, and publish, proof of software security efforts in machine readable formats. The hope is that USG immense purchasing power results in more secure development practices on the broader industry. I feel USG is obligated to do this given what it spends every year, but they should also be cutting ties with vendors who repeatedly put our national security at risk, even more so for cyber security vendors. Big companies with similar leverage should follow suit in making similar contractual requirements. 6/n

But better software is just one piece of the solution. The ecosystem of bad actors that enable these attacks should pay a price commensurate with their actions. The EO introduces new Treasury sanction authorities to go after those that enable these activities. If you’re supplying services or equipment for a ransomware operation targeting hospitals you’re as fair game as the guy who executed the intrusion. This is a welcome change, but lack of authorities to go after threat actors is often not the primary problem, its the will to use them aggressively. 7/n

The EO contains much more, than I can cover here. Cyber is, and should remain, a non-partisan national security issue. I’m looking forward to seeing what the next administration does in this domain, and I thank the folks in the current administration for their tireless efforts. 8/8