FB pixel

Biden executive order prioritizes privacy-preserving digital ID, mDLs

Biden executive order prioritizes privacy-preserving digital ID, mDLs
 

In one of his last official acts as President, Joe Biden on Thursday issued a robust new executive order (EO) that is aimed at bolstering national cybersecurity. The sweeping directive lays out a comprehensive strategy to address the multifaceted digital identity challenges of cybersecurity, privacy, and authentication.

The EO builds on Biden’s May 12, 2021, executive order, Improving the Nation’s Cybersecurity, and the initiatives that were detailed in the National Cybersecurity Strategy.

Much as anticipated, the EO instructs federal agencies that issue grants to consider supporting states in the development of mobile driver’s licenses (mDLs), with the stipulation that those credentials should not enable surveillance or tracking of interactions in which the digital ID is used.

By strengthening software supply chains, enhancing identity management, leveraging emerging technologies, and fostering collaboration, the new EO aims to protect the nation’s digital infrastructure against evolving threats and to safeguard the security and privacy of Americans in an increasingly interconnected world.

The EO warns that “adversarial countries and criminals continue to conduct cyber campaigns targeting the United States and Americans,” and that “the People’s Republic of China present[s] the most active and persistent cyber threat to the United States Government, private sector, and critical infrastructure networks.”

Biden said, “These campaigns disrupt the delivery of critical services across the nation, cost billions of dollars, and undermine Americans’ security and privacy.  More must be done to improve the nation’s cybersecurity against these threats.”

Central to Biden’s Thursday Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity is the recognition of vulnerabilities in third-party software supply chains. Federal systems and critical infrastructure frequently rely on software from external providers, some of whom fail to address known security flaws, exposing these systems to exploitation. To mitigate this risk, the EO mandates stringent secure software development practices.

Within 30 days of signing the new EO, the Office of Management and Budget, in coordination with the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA), must recommend contract language requiring software providers to submit secure software attestations to a centralized repository managed by CISA. This repository will include machine-readable attestations, high-level artifacts, and a list of federal customers. The Federal Acquisition Regulatory Council (FAR Council) is tasked with swiftly implementing these requirements, emphasizing transparency and accountability in software security.

To operationalize these reforms, the executive order establishes clear timelines and actionable steps for federal agencies and private sector stakeholders. For instance, the Secretary of Commerce, through NIST, is tasked with updating the Secure Software Development Framework to include detailed guidance on secure software delivery and operations. Similarly, the FAR Council is encouraged to adopt interim rules to ensure compliance. These measures will reduce software vulnerabilities and establish rigorous third-party risk management practices.

While secure software development practices form a critical component of this initiative, they cannot by themselves mitigate advanced threats posed by nation-state actors. Recognizing this, the EO calls for enhanced endpoint detection and response capabilities across federal civilian agencies.

Within 180 days of Biden issuing the EO, CISA, in coordination with the federal Chief Information Officer and Chief Information Security Officer Councils, must develop protocols for accessing endpoint telemetry data. This access will enable threat hunting, anomaly detection, and coordinated responses to cyber campaigns targeting multiple agencies. To maintain privacy and integrity, these activities will adhere to principles of “least privilege” and employ robust access controls.

Authentication and identity management stand as pillars of cybersecurity. The order underscores the importance of adopting phishing-resistant authentication mechanisms, such as WebAuthn, across federal systems. Building on prior deployments, agencies are directed to pilot these technologies to inform long-term strategies for identity, credentialing, and access management. The directive also highlights the need for secure management of cryptographic keys and proposes updated guidelines for their use in cloud environments. These measures aim to thwart unauthorized access and bolster trust in digital interactions.

The EO also addresses the security of federal communications. Agencies are required to implement encrypted domain name system protocols and ensure secure email transport by default. These measures protect the confidentiality and integrity of government communications from interception and tampering. Moreover, the order mandates enhanced security for voice and video conferencing platforms, advocating for end-to-end encryption while maintaining compliance with federal records management requirements.

The EO notes that Quantum computing poses significant risks to existing cryptographic systems. The EO therefore outlines a transition plan to post-quantum cryptography (PQC) standards, ensuring that federal systems remain resilient against cryptanalytically relevant quantum computers. Agencies are required to prioritize PQC-ready technologies and collaborate with international partners to encourage global adoption. This forward-looking approach seeks to preempt future vulnerabilities while maintaining the competitiveness of U.S. technology.

Open-source software, a cornerstone of modern computing, is another focal point of the executive order. While its use offers innovation and cost benefits, it also introduces unique risks. The EO instructs federal agencies to better manage their reliance on open-source software by adopting security assessments, applying timely patches, and contributing to the broader cybersecurity ecosystem. These actions aim to enhance the security and resilience of open-source software while preserving its benefits.

The executive order further mandates research and pilot programs to harness AI for threat detection, vulnerability management, and automated response. By prioritizing datasets for cyber defense and advancing secure AI system designs, the directive seeks to leverage AI’s potential while addressing its risks, including the generation of insecure code and exploitation of AI vulnerabilities by adversaries.

To combat cybercrime and fraud, the executive order emphasizes secure digital identity systems. Federal agencies are encouraged to accept mDLs and other digital identity documents, provided they adhere to principles of privacy, interoperability, and data minimization. By enabling “yes/no” validation services, the government can enhance identity verification while preserving user privacy. Pilot programs will explore technologies to alert individuals to potential identity misuse, empowering them to prevent fraudulent transactions.

The EO also tackles the cybersecurity of space systems, which play an increasingly critical role in national security and global infrastructure. Federal agencies are tasked with updating contract requirements for civil space systems to include robust cybersecurity measures. These requirements encompass secure command and control mechanisms, anomaly detection, and secure software development practices. Additionally, federal space ground systems will undergo a comprehensive review to identify gaps and improve defenses.

Throughout the executive order, transparency and collaboration are recurring themes. Federal agencies must share cybersecurity information with one another and with private sector partners to create a collective defense. The EO establishes working groups for specific technologies, such as endpoint detection and response solutions, ensuring that agencies and vendors align on best practices. Furthermore, it encourages international cooperation to address global cyber threats, recognizing that cybersecurity transcends national borders.

The executive order’s implementation is to be guided by rigorous oversight and continuous evaluation. The National Cyber Director, in coordination with CISA and other stakeholders, is tasked with monitoring compliance and publicly disclosing outcomes. This accountability is intended to ensure that the measures outlined in the EO translate into tangible improvements in cybersecurity.

Related Posts

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics connecting ID and payments through digital wallets, apps and passkeys

Biometrics are connecting with payment credentials, whether through numberless credit cards and banking apps or passkeys, as the concrete steps…

 

Reach of Musk, DOGE’s federal data access sets off privacy, security alarms

Led by tech billionaire Elon Musk and a shadowy team believed to be under his control, the United States DOGE…

 

Mobile driver’s licenses on the cusp of ‘major paradigm shift’

More entities have integrated the California mobile driver’s license (mDL) credential for identity verification. Although just 15 states have introduced…

 

Gesture-based age estimation tool BorderAge joins Australia age assurance trial

Australia’s age assurance technology trial is testing the new biometric tool that performs age estimation based on hand gestures. The…

 

European AI compliance project CERTAIN launches

The pan-European project to create AI compliance tools CERTAIN has kicked off its work, with the goal of making European…

 

Signaturit Group acquiring Validated ID for undisclosed sum

Spain-based digital identity and electronic signature provider Validated ID is being acquired by Signaturit Group, a European company offering identity…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events