President Joe Biden issued an executive order on Thursday requiring software companies selling their product to the federal government to prove they included ironclad security features that can thwart Chinese intelligence agencies, Russian ransomware gangs, North Korean cryptocurrency thieves and Iranian spies.
But it is unclear whether the Trump administration, intent on deregulation even while it vows to take on China in particular, will keep the overhauled cybersecurity rules.
The order, which came with four days left in Biden’s term, is the last in his administration’s four-year fight to secure American infrastructure and defeat increasingly ingenious surveillance operations.
But after four years of that daily, grinding confrontation — where much of the new cold war with China has played out — the hackers have usually come out ahead. In the past two years, there have been repeated, successful Chinese breaches of the utility grid, the nation’s pipelines, the telecommunications system and, in recent weeks, the Treasury Department. Those attacks have led the incoming Trump administration to complain that the United States’ defenses remain easily pierced and its deterrent capabilities insufficient.
As Biden’s list of new regulations and orders lengthens, covering issues like drilling off the East Coast and removing Cuba from the terrorism list, Trump’s advisers are complaining that the current administration is on a furious campaign to lock them in to its policies and mandates.
Some will be reversed next week, making many of Biden’s steps nothing more than an exiting political gesture. But the new cybersecurity requirements add a wrinkle to that debate, potentially setting up a conflict between the Trump administration’s vow to deregulate and its pledge to defend against Chinese intrusions into American networks.
The new rules would, for the first time, require companies to prove that software they sell to the federal government meets basic cybersecurity requirements, and to publish the evidence of those steps.
Biden is essentially abandoning the administration’s approach of coaxing private industry to invest in cybersecurity through voluntary programs and public-private partnerships. He and his aides have concluded that the only way to get companies to invoke tough cybersecurity measures is to require those measures, and force the firms to make public their exact steps.
The new order would expand federal authority over the software supply chain. The White House, often using existing authorities, has already put regulations on pipelines, railways and hospitals.
The New York Times Services
