Biden orders encryption of email, DNS and BGP

US President Joe Biden has set out a huge list of IT security measures for his US federal officials. The range of measures is enormous, so hardly any official ICT system will remain untouched. The presidential decree published on Thursday may have taken several years to prepare. This comes just four days before Biden’s term ends.

Advertisement

This includes specifications not only for the internal management of federal authorities, but also for their suppliers and service providers, otherwise the undertaking would make no sense. Even the best resolver is of no use if the software you purchased does not support DNS encryption. If the network operator’s BGP router does not process the original keys, data transmission security will be ineffective. If the hardware is compromised before installation, recovery is difficult.

However, the requirements contrast with the regulation cuts that Biden’s successor Donald Trump is promoting and his planned radical cuts to public services. Perhaps especially for Trump, Biden’s decree emphasizes twice at the outset who needs to be protected from: adversaries and criminals, above all the People’s Republic of China. It is “the most active and persistent IT threat to US officials, the private sector, and critical infrastructure”.

“More must be done to protect the nation’s IT security from these threats,” the US president writes, adding that his order continues previous presidential orders from Barack Obama, Donald Trump and Biden himself. He declared the government’s official strategy to make software and cloud service providers more accountable, strengthen the security of official communications and identity management systems, and harness innovative developments and new technology (read: AI) for IT security.

Suppliers are monitored more closely

To that end, Biden is ordering a long list of steps that the various parties involved must take. However, the President’s authority is limited to the federal level. And the private sector is affected only to the extent that it works for federal officials. Systems for national security and particularly important military facilities are largely excluded, for which the decree recommends that appropriate measures be taken. Since there are sometimes no contractual partners in the strict sense for open source, advice for security assessments, update management, but also contributions to open source projects from the public sector must be developed for their use.

My Scrum Is Broken #129: Future Skills with Marlene Conrad

Software suppliers are already required to follow certain security rules when programming, but they are sometimes lax when it comes to closing known security flaws. Therefore, authorities should keep a close eye on their suppliers. To that end, Biden is ordering new contract terms and confirmation from suppliers that they are complying with safety requirements. In addition to a list of all government customers, you should also upload data that proves implementation of the rules. This should be checked on a random basis and the results will be published. In this way, negligent software providers are punished.

Better programming methods alone are not enough. The deployment and updating of the software and the security of the final product must also be perfect. For this purpose, the recommendations of the National Institute of Standards and Technology should be updated and made binding (NIST Special Publications 800-218 Secure Software Development Framework (SSDF), 800-53 Security and Privacy Controls for Information Systems and Organizations ). The same applies to the entire supply chain of software and hardware (800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations). The entire life cycle from procurement planning to supplier selection, definition of responsibilities, safety and performance evaluation as well as management of contracts should be revised.

Homework and internal supervision

Since even the most secure software is of little use if used insecurely by a customer, executives also have to do their homework. This includes better management of digital identity and access rights. Phishing should be made more difficult, Biden is specifically addressing WebAuthn, i.e. pushing passkeys. Default settings for cloud systems should be defined to improve data security.

In a previous order, Biden had ordered federal agencies to share threat information with each other. This is no longer enough. Now a so-called “endpoint detection and response” system is to be introduced, the evaluation of which can be supervised by the IT security authority CISA (with the exceptions of data security or other information that must be kept secret, and time restrictions in special cases) so that important Processes should not be interrupted).

turning point for space travel

For satellites and other space issues, the President must also establish the basic building blocks: encryption of data transmission and its protection against manipulation on the move, authentication of sources, and rejection of unauthorized orders. In addition, methods for detecting and responding to abnormalities are evolving, as well as the use of secure methods for hardware and software development.

First a list must be created for ground stations, which will be used to determine which systems require special protection. Recommendations for better security and monitoring should be made for these.