President Joe Biden this week issued an executive order aimed at strengthening the United States’ cybersecurity and making it easier to go after hackers.
The executive order covers areas such as security in third-party software supply chains, software development, identity, the security of internet protocols, encryption, quantum computing, artificial intelligence, infrastructure and network security, and foreign threats.
Given the timing of the executive order — it was issued just days before President-elect Donald Trump takes office — some members of the cybersecurity industry believe that the incoming administration will likely revoke the policy.
However, some experts are optimistic, believing that the Trump administration recognizes the importance of securing the nation’s systems against cyber threats.
Industry professionals have commented on various aspects of the new cybersecurity executive order:
Tara Wisniewski, EVP, Advocacy, Global Markets and Member Engagement, ISC2:
“There’s a lot of discussion around the timing of the order, but we hope that doesn’t overshadow the substance and the importance of the initiatives laid out. It’s important to remember that cybersecurity is a bipartisan issue – in fact, the Trump Administration enacted several EOs in the days before President Biden took office that proved beneficial, and we could certainly envision a similar situation here. We urge the incoming Trump Administration to support the outcomes of this Executive Order and continue building on its foundation to create a more cyber secure nation.”
Katherine Ledesma, VP Public Policy & Government Affairs, Dragos:
Advertisement. Scroll to continue reading.
On protecting space infrastructure: “In the next Administration, we’ll see a continued focus on the security and resilience of national security systems, as well as a focus on space infrastructure, which remains vulnerable. Protecting these assets, particularly against threats from adversarial nations, is essential to maintaining national security, economic stability, and the continuity of essential services worldwide.
The primary cyber threats to space assets include attacks on ground stations and on-orbit systems. Threat actors can exploit weaknesses in both software and hardware, with ransomware and platform-level compromises posing significant risks. Satellite Command & Control Systems, spacecraft navigation systems, remote sensing, and telemetry systems are all examples of critical systems that could be targeted in an attack.”
On the incoming Trump Administration’s likely response to Biden EO: “Recent cyber intrusions – including in federal networks-highlight the need to maintain White House momentum and leadership in countering cyber threats. Nothing in this particular Executive Order was a surprise to industry or a deviation from prior Biden Administration cyber policy. However, as with many of the Executive and regulatory actions that we’ve seen in the last few weeks, this will be reviewed as the new Administration takes the helm. There are areas where I expect to see continued, or more aggressive, focus in the new Administration.
This includes transparency and security in federal third-party and software supply chains, as well as working with owners and operators to locate and remove or mitigate adversarial technologies in critical cyber-physical systems, such as ports and the electric grid. Expect to also see more aggressive language on China and less burden on industry.”
MJ Kaufmann, Cybersecurity Author and Instructor, O’Reilly Media:
“Cybercriminals are already leveraging AI in their attacks to make phishing and other social attacks more successful. It’s refreshing to see that the president and his aides are aware of AI’s role in future cybersecurity efforts. While the news may portray AI as a panacea of security, it is far from that stage, but that is not to say that it does not have a valuable role to play. Many existing companies and startups successfully leverage these tools in more efficient detection, analysis, and response to threats.
Traditional threat detection methods often rely on static rules and historical data, which can fail to identify emerging or zero-day threats. Existing tools are ill-suited to analyzing the massive volume of alert data an organization generates daily. By adopting AI, organizations can level the playing field, employing intelligent systems capable of processing vast amounts of data at speeds far beyond human capacity.
There is still much room for growth in this area, but I feel it is safe to predict that AI will empower teams to move beyond merely reacting to threats and leverage predictive analytics to catch and mitigate them proactively. Through large-data analysis, AI will be able to enhance predictive capabilities, identifying potential attack vectors based on evolving trends and enabling organizations to harden their defenses preemptively.”
Ira Winkler, CISO, CYE:
“In general, I am encouraged by the actions being taken. CISA and other organizations have some great people who know what should be done for systematic changes. I am less enthusiastic about the statement about the use of AI to improve cyberdefenses. The reason is that it doesn’t seem to understand what AI is. AI is really just mathematical algorithms that have been around for awhile.
AI algorithms have been used in cybersecurity for more than a decade. AI is not a new mythical entity, but an established science. Yes, we need research for how to apply better technologies to current and future problems, but the focus and titling make me believe that the people envisioning such a center are not privy to what AI actually is.”
Greg Young, VP of Cybersecurity and Corporate Development, Trend Micro:
“It’s positive the Executive Order continues to elevate CISA’s role, and provides specifics on strengthening domain name system (DNS), supply chain security, emphasizing quantum safety, and further going after the assets of cybercriminals.
There’s also good specifics on a deadline for enabling encryption on DNS where it is supported and contract language for new contract language, but the EO doesn’t give any guidance for DNS that doesn’t support encryption. A significant portion of the EO covers gaining telemetry from endpoint detection and response (EDR) solutions in order to better centrally identify threats, which is a good measure. Hopefully the richness of that EDR telemetry will be focused on in the execution of the EO, as that is the real key to identifying attacks early.
The keys to an effective Executive Order dealing with technology are implementing deadlines, specifics, and where necessary, funding to make it happen. These elements, along with penalties, are what has made the SEC cybersecurity breach disclosure regulations have such a significant impact. It’s unfortunate that so many of the EO items are general encouragement, or do not provide specific deadlines or enough action, in addition to no direct funding associated with this EO.”
Jon France, CISO, ISC2:
“It’s great that the US Government continues to recognize both the opportunity of quantum, but also the threat that it poses to classical computing and the encryption systems that protect current economies, digital societies etc.. The continued focus on moving to a Post-Quantum Cryptography landscape is welcome.
With NIST having released approved quantum resilient suites in 2024, the challenge becomes one of change, and whilst commercial availability of quantum computing is not here yet, the change will take time. Put simply, it’s a ‘NOW’ problem. The executive order recognizes this. Even though the focus is on government entities and services, this is a clear call for all to start to act on the change problem.”
Gary Orenstein, Chief Customer Officer, Bitwarden:
“A significant gap in the executive order is its lack of guidance on enterprise password management. While it emphasizes advanced authentication methods like passkeys, it also overlooks the foundational need for strong password habits. Passwords remain – and will remain – a common threat vector for the foreseeable future.
Without mandates encouraging the use of enterprise-wide password managers, organizations risk exposure to credential-based breaches, social engineering, and phishing attacks. Addressing this gap would reinforce basic cybersecurity defenses, ensuring organizations can better secure, share, and manage access credentials and sensitive information as a first line of defense.”
Chris Harris, SVP, Public Sector, DTEX Systems:
“The Biden Administration’s final Cybersecurity Executive Order clearly signals a new era of vigilance against foreign interference, as it specifically calls out China’s persistent cyber threat – mirroring similar concerns about active insider attacks from North Korea (DPRK).
The EO highlights some very real cyber concerns that have been mounting across both the public and private sectors in recent years, but it could be argued that a specific insider threat mention was overlooked, as it has proved to be a prevalent threat vector facing agencies today. It is their responsibility to protect their data and systems, but also their people—especially as state-sponsored adversaries increasingly target insiders. Coupled with rising concerns around AI governance and overlooked third-party vulnerabilities, this EO is a rallying call for federal agencies and private-sector partners alike to collaborate with holistic and proactive approaches to mitigate against rising threats.”
Jason Soroko, Senior Fellow, Sectigo:
“Based on the text of the executive order, each federal agency must transition to quantum-resistant cryptography for all new systems and communications within a specific, near-term timeline—generally set at 18 to 24 months from issuance. The order also mandates that within this same period, agencies develop a detailed plan to retrofit or replace any legacy systems that cannot meet new standards.
In practical terms, this means agencies cannot deploy new encryption tools unless they align with NIST-approved quantum-resistant algorithms.
The order also imposes strict standards on the private sector, especially software suppliers. Firms vying for federal contracts must prove secure development practices and compliance with rigorous testing, patching, and reporting obligations. This can have the effect of forcing suppliers to harden their products overall, not just for offerings meant for the federal government.”
Brian Reed, Sr. Director of Cybersecurity Strategy, Proofpoint:
“The Executive Order outlines ambitious goals like bolstering transparency in software security, enforcing phishing-resistant authentication, and leveraging AI to protect critical infrastructure. But let’s be clear—some of these efforts are not new; some are already in progress, and some are overdue. This Executive Order is as much about playing catch-up as it is about moving cybersecurity forward in the federal government.
The directive’s call for accountability from suppliers, vendors, and third parties in supply chain security sets a new standard, especially for vendors selling to the U.S. federal government. Transparency is no longer simply a nice-to-have—it’s now a mandate. Initiatives like the Cyber Trust Mark and AI-driven threat detection signal a broader push to make cybersecurity a shared responsibility, not just a government priority or a checkbox on an RFI response.”
Steve Horvath, Senior Vice President of Xacta Solutions, Telos Corporation:
“The new executive order points a spotlight on the importance of secure software development and software supply chains, but the caveat is that the criteria required for software vendors to ‘pass’ is obfuscated, which will inevitably cause angina and deplete already-strapped resources. The directive for National Institute for Standards and Technology (NIST) to provide recommendations on contract requirements to the Federal Acquisition Regulatory Council (FAR Council) will likely be a more effective component of the order.
All in all, this is an opening volley that will be heavily refined in the coming year.”
Related: UK Considers Banning Ransomware Payment by Public Sector and CNI
Related: 2025 NDAA Provides $3 Billion Funding for FCC’s Rip-and-Replace Program
Related: China Targeted Foreign Investment, Sanctions Offices in Treasury Hack