Biden orders encryption of e-mail, DNS and BGP

Contents

US President Joe Biden is prescribing a huge catalog of IT security measures for his US federal authorities. The range of measures is enormous, meaning that hardly any government ICT system will remain untouched. It must have taken years to prepare the presidential decree published on Thursday. It was just about done, four days before the end of Biden's term of office.

It not only contains requirements for the internal management of federal authorities, but also for their suppliers and service providers; otherwise the undertaking would make little sense. If the purchased software does not support DNS encryption, even the best resolver is useless. If the network operator's BGP (Border Gateway Protocol) router does not process the origin keys, securing the data transmission will come to nothing. If the hardware is already compromised before installation, the defense will have a hard time.

However, the requirements stand in contrast to the reduction in regulation preached by Biden's successor in office, Donald Trump, and his planned radical cuts in public services. Perhaps specifically for Trump, Biden's decree emphasizes twice right at the beginning who needs to be fended off: opponents and criminals, above all the People's Republic of China. It is the "the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks".

"More must be done to improve the Nation’s cybersecurity against these threats", writes the US President, whose decree updates previous presidential decrees by Barack Obama, Donald Trump and Biden himself. It declares it the government's official strategy to hold providers of software and cloud services more accountable, to strengthen the security of government communication and identity management systems, and to use innovative developments and new technology (read: AI) for IT security.

Suppliers will be monitored more closely

To this end, Biden has ordered a long list of steps to be taken by various stakeholders. However, the President's responsibility is limited to the federal level. And the private sector is only affected to the extent that it works for federal authorities. National security systems and particularly important military facilities are largely exempt, although the decree advises them to take appropriate measures. As there is sometimes no contractual partner in the narrower sense for open source, advice on security assessments, update management and public sector contributions to open source projects is to be drawn up for their use.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier eine externe Umfrage (Opinary GmbH) geladen.

Umfragen immer laden Umfrage jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Opinary GmbH) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

Software suppliers already have to follow certain security rules when programming, but are sometimes negligent when it comes to plugging known security gaps. Authorities should therefore keep a closer eye on their suppliers. To this end, Biden is ordering new contractual conditions and confirmations from suppliers that they are complying with the security requirements. In addition to a list of all official customers, they should also upload data proving that they have implemented the regulations. This is to be checked on a random basis, with the results being published. In this way, negligent software providers will be pilloried.

Better programming methods alone are not enough. The deployment of the software and its updates and the security of the end product must also be right. To this end, recommendations from the National Institute of Standards and Technology are to be updated and made binding (NIST Special Publication 800-218 Secure Software Development Framework (SSDF), 800-53 Security and Privacy Controls for Information Systems and Organizations). The same applies to the entire supply chain of software and hardware (800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations). Here, the entire life cycle from procurement planning to supplier selection, definition of responsibilities, evaluation of security and performance and management of contracts is to be revised.

Homework and internal supervision

As the most secure software is of little use if the customer uses it insecurely, the authorities must also do their homework. This includes better management of digital identities and access rights. Phishing should be made more difficult, with Biden specifically addressing WebAuthn, i.e. forcing passkeys. Default settings for cloud systems are to be defined to improve data security.

In an earlier decree, Biden ordered federal authorities to share information about threats. This is no longer enough. Now so-called "endpoint detection and response" systems are to be rolled out, whose evaluations may be monitored by the IT security authority CISA (with exceptions for data protection or information that must otherwise be kept secret, as well as time restrictions in special cases so as not to disrupt critical processes).

Turning point for space travel

For satellites and other space matters, the President must even have basic building blocks put in place: Encryption of data transmissions and their protection against manipulation en route, certification of sources and rejection of unauthorized commands. Added to this is the development of methods to detect and react to anomalies, plus the use of secure methods for the development of hardware and software.

For ground stations, an inventory will first be created to determine which systems require special protection. Recommendations for better protection and monitoring will then be drawn up for these.