Biden’s final push: Using AI to bolster cybersecurity standards

In a decisive move to strengthen national cybersecurity, President Joe Biden is poised to sign an executive order imposing stringent security standards for federal agencies and contractors. Scheduled for publication in the coming days, the directive will emphasize integrating artificial intelligence (AI) into cyber defense strategies while addressing systemic vulnerabilities in software security, reported Reuters.

This will be Biden’s third and potentially last cybersecurity-related executive order, following a string of high-profile cyberattacks linked to Chinese state actors.

AI to fortify cyber defense

At the core of the new directive is a program enabling the Pentagon to harness advanced AI models for bolstering cybersecurity across critical defense systems. The directive also includes initiating a complementary pilot program in the energy sector which aims to explore AI applications in securing the nation’s energy infrastructure, the report added.

These initiatives are built on existing research by the Pentagon’s Defense Advanced Research Projects Agency (DARPA), which has been investigating AI-driven solutions for protecting critical systems. The push signifies a growing reliance on AI to preempt, detect, and respond to evolving cyber threats targeting both public and private sectors.

Challenges in implementation

Analysts warn that federal agencies and technology vendors might face multiple challenges in implementing the AI-driven cybersecurity framework. These include the substantial resources needed to integrate AI into existing systems and the issue of false positives or negatives in AI threat detection, which could result in wasted effort or missed threats.

“The complexity and interpretability of AI models can also complicate troubleshooting and reduce trust in automated decision-making,” said Charlie Dai, VP and principal analyst at Forrester. “Additionally, limitations in computational infrastructure, a lack of skilled AI talent, and challenges in ensuring data privacy for sensitive information are significant hurdles to adoption.”

“One of the key challenges of implementing this is the capability of government agencies to project, monitor it and ensure vendors are held accountable,” pointed out Yugal Joshi, partner at Everest Group. “It is highly unlikely that governments have staff who understands AI-led cybersecurity and can drive these initiatives.”

“In addition,” Joshi added, “in many cases, the legacy platforms in the government may not allow such innovation or may entail significant spending to adopt these. Given the financial stress on the US government, it will be interesting to witness how this is addressed.”

Impact on private vendors

To address long-standing issues with insecure software, the order requires vendors supplying software to federal agencies to adhere to strict secure development practices. Under the directive, vendors must provide documentation proving compliance, to be evaluated by the Cybersecurity and Infrastructure Security Agency (CISA) as part of its software attestation program, the report said.

“Attestations failing validation may face referral to the attorney general for appropriate action,” states the draft seen by Reuters. This framework formalizes measures CISA introduced last year and sets an unequivocal expectation of accountability for private sector vendors.

Analysts believe that private-sector technology vendors will likely need to overhaul operations and innovation strategies to align with the new requirements. Adopting AI-driven cybersecurity technologies and adhering to secure software development standards will require significant investment.

“The costs of compliance and regulatory complexities could strain operations, especially as vendors work to integrate new processes into existing systems,” Dai added. “However, these challenges might also push vendors to innovate, resulting in the development of more secure, resilient products over the long term,” Dai pointed out.

Furthermore, the heightened demand for skilled professionals to support these transitions could exacerbate the current talent shortage.

“Therefore, the government may have to rely on other vendors to oversee their vendor landscape which will increase complexity and the certainty of outcomes,” Joshi added.

Lessons from high-profile hacks

The executive order has emerged against the backdrop of multiple cyber incidents attributed to Chinese-linked hackers, including attacks on critical infrastructure, U.S. Treasury systems, and government email accounts in 2023. A major security loophole exploited involved improperly managed access tokens and cryptographic keys, prompting a section of the order to mandate new federal guidelines for handling these sensitive assets securely.

Beijing has repeatedly denied allegations of state-sponsored cyber activities, but analysts point to the order as an attempt to plug gaps that have historically been exploited.

Uncertain future under Trump 2.0

Despite its immediate impact, the executive order’s long-term influence remains uncertain. President-elect Donald Trump, set to take office in a few weeks, has yet to outline his administration’s approach to cybersecurity. While such issues often enjoy bipartisan consensus, experts question whether Trump will retain Biden’s policies or chart a distinct course.

The transition to a new administration brings uncertainty regarding the retention or modification of these policies.

“It is highly likely that the next government will review and potentially adjust cybersecurity mandates, potentially granting companies more autonomy in managing their practices. While this could spur innovation, it may also increase risks for enterprises that fail to regulate effectively,” Forrester’s Dai said. “Enterprises could face regulatory uncertainty during this transitional phase, requiring them to remain agile and vigilant in their compliance efforts.”

“This could potentially be one area of friction between Biden’s government and the incoming leaders who may think this was deliberately done to put them under a difficult situation,” pointed out Joshi. “Vendors will increase the price of their software to account for increased compliance and innovation spend. This will stress test the government’s budgets, especially with the DOGE initiatives.”

Biden’s latest executive order serves as both a culmination of his administration’s cybersecurity efforts and a potential playbook for the incoming administration. By combining AI with rigorous regulatory standards, it aims to enhance national resilience against an increasingly complex threat landscape.

Whether these measures endure beyond Biden’s tenure or face a policy overhaul will significantly shape the trajectory of federal cybersecurity in the coming years. For now, federal agencies, contractors, and technology vendors have a clear mandate to prioritize robust security and innovation in safeguarding critical infrastructure. “This is where Biden’s government and incoming leaders may have a disconnect,” Joshi added. “However, in general cyber and AI, these are two areas where there is broad alignment between parties in the USA.”