President Biden issued an executive order on Thursday requiring software companies selling their product to the federal government to prove they included ironclad security features that can thwart Chinese intelligence agencies, Russian ransomware gangs, North Korean cryptocurrency thieves and Iranian spies.
But it is unclear whether the Trump administration, intent on deregulation even while it vows to take on China in particular, will keep the overhauled cybersecurity rules.
The order, which came with four days left in Mr. Biden’s term, is the last in his administration’s four-year fight to secure American infrastructure and defeat increasingly ingenious surveillance operations.
But after four years of that daily, grinding confrontation — where much of the new cold war with China has played out — the hackers have usually come out ahead. In the past two years, there have been repeated, successful Chinese breaches of the utility grid, the nation’s pipelines, the telecommunications system and, in recent weeks, the Treasury Department. Those attacks have led the incoming Trump administration to complain that America’s defenses remain easily pierced and its deterrent capabilities insufficient.
As Mr. Biden’s list of new regulations and orders lengthens, covering issues like drilling off the East Coast and removing Cuba from the terrorism list, Mr. Trump’s advisers are complaining that the current administration is on a furious campaign to lock them in to its policies and mandates.
Some will be reversed next week, making many of Mr. Biden’s steps nothing more than an exiting political gesture. But the new cybersecurity requirements add a wrinkle to that debate, potentially setting up a conflict between the Trump administration’s vow to deregulate and its pledge to defend against Chinese intrusions into American networks.
The new rules would, for the first time, require companies to prove that software they sell to the federal government meets basic cybersecurity requirements, and to publish the evidence of those steps. They cite China’s “active and persistent cyberthreat to the United States” and waves of attacks from other nations and criminal groups.
Yet despite the 50 pages of requirements in the order, Mr. Biden is essentially abandoning the administration’s approach of coaxing private industry to invest in cybersecurity through voluntary programs and public-private partnerships.
He and his aides have concluded that the only way to get companies to invoke tough cybersecurity measures is to require those measures, and force the firms to make public their exact steps. That way, when there is another embarrassing breach, it will be clear whether the companies had left holes in their defenses.
The new order would expand federal authority over the software supply chain. The White House, often using existing authorities, has already put regulations on pipelines, railways and hospitals.
Anne Neuberger, the deputy national security adviser for cyber and emerging technologies who has led that drive, told reporters on Wednesday that the executive order, in the works for many months, was “designed to put the country on a path to defensible networks across the government and private sector.”
It was borne of bitter experience. Four years ago, when Mr. Biden was still the president-elect, Russia’s spy agencies had penetrated the code written by SolarWinds, a company that sold network management software to the government and Fortune 500 companies. Once SolarWinds updated that software and distributed it to its customers, Russia gained the ability to steal corporate secrets and conduct surveillance in federal agencies such as the Treasury and Commerce Departments.
Mr. Biden denounced the Russians, and his one meeting as president with President Vladimir V. Putin, in Geneva in 2021, was largely about Russian ransomware that was freezing up Colonial Pipeline, which provides gas and oil along the East Coast. After that session, Ms. Neuberger pressed agencies around the government to draft new requirements for companies doing business with them, hoping to use the federal contracting process to force changes in the way firms develop their software.
But the effort did not go far enough. Companies declared that their products met the new conditions, but never needed to prove their assertions. When hackers linked to one of China’s intelligence agencies recently breached the Treasury Department, gaining access to thousands of unclassified documents, they appeared to enter through software provided by the vendor BeyondTrust. Federal officials said the firm had represented itself as having met all cybersecurity requirements, but the new regulations would have forced it to make those steps public.
“We told companies producing software to just tell us that they were using it,” Ms. Neuberger said of older federal rules. “I think we’ve seen, over the last four years, we actually need proof.”
BeyondTrust has said little about the episode, except for brief statements that it “took measures to address a security incident in early December 2024” and “notified the limited number of customers.” It has declined to discuss how the breach happened.
Nor have the nation’s largest telecommunications firms said much about how China’s intelligence agencies found new, almost undetectable seams in their networks. The discovery allowed access to some of the government’s most secret systems for tapping phones with court orders as well as the unencrypted conversations of President-elect Donald J. Trump and Vice President-elect JD Vance. (It is unclear if the agencies exploited that access.)
“In the wake of headline-making cyberattacks over the past four years, like China’s compromise of Microsoft’s cloud, Russia’s disabling of a commercial satellite company and ransomware attackers forcing hospitals to postpone surgeries,” Ms. Neuberger said, “we’ve spent seven months carefully reviewing each hacking incident to determine exactly how the attackers got through the gates.”
The new rules most likely would not have made a difference in the surveillance operation against the telecommunications companies, called “Salt Typhoon.” They might have helped secure the electric grid and water pipelines against a different kind of hack linked to China, which was aimed at disabling those systems in the United States to deter help to Taiwan in case of military action over the island.
Under the latest guidelines, any company that is paid from the more than $100 billion that the federal government spends each year on software would be subject to the requirements. Violators could be referred to the Justice Department for civil prosecution.
The new rules would also put requirements on space systems, after Russia disabled a European satellite communications system by attacking its modems on the ground.
But carrying out the new order will be left to the Trump administration, which would have to enforce the deadlines, starting in about 120 days. A crucial moment will come then, if companies decide to test whether Mr. Trump will uphold the deadlines.
Ms. Neuberger noted that the Biden administration adopted many rules and orders left over from the previous Trump administration. She said she expected the returning administration “to do the same.” But that is hardly guaranteed.
And while Ms. Neuberger noted recently that building resilience into American networks has been a bipartisan effort, the incoming national security adviser, Representative Michael Waltz, has talked much more about responding to China with offensive cyberoperations.
So has John Ratcliffe, Mr. Trump’s pick for C.I.A. director. Mr. Ratcliffe said at his confirmation hearing on Wednesday that the United States was witnessing an “invasion through our digital borders from half a world away, in a few seconds and a few keystrokes.” He argued that America’s ability to deter such attacks had faltered.
“The deterrent effect has to be that there are consequences to our adversaries when they do that,” he said.
