President Biden’s last-minute cybersecurity executive order (EO) – should it survive the incoming administration – could have a resounding impact on MSSPs.
The outgoing president, who has made protecting U.S. critical infrastructure and businesses from adversaries a focus of his administration, touched on a range of issues facing the country, from threats from countries like Russia, China, Iran, and North Korea and ransomware to the pros and cons of advanced technologies like AI and quantum computing.
There also was a heavy focus on protecting the software supply chain, not only reiterating the need for programmers to incorporate security in every part of the design chain but also saying that software makers should have to attest to the security of their products and prove that they comply with government-determined security requirements.
Areas like AI, increased sanctions, and leveraging AI for cyber defense will significantly affect MSSPs and MSPs that include security services in their lineups, according to Eric Schwake, director of cybersecurity strategy at Salt Security.
“By adjusting their services and expertise to match the aims set forth in the executive order, MSSPs can significantly contribute to enhancing the nation's cybersecurity stance and protecting critical infrastructure and organizations from evolving cyber threats,” Schwake told MSSP Alert.
Meeting New Requirements
For example, to address the demand for enhance security assessments, MSSPs will have to implement comprehensive API security evaluations in their offerings that assess the security posture of their clients' APIs and identify potential vulnerabilities, he said.
Regarding AI, service providers will need to expand their use of AI-driven offerings to improve threat detection and response capabilities for clients
“This approach will allow them to identify and address API-specific threats proactively,” Schwake said, noting the importance the EO put on APIs. “As APIs grow vital to critical infrastructure and business operations, MSSPs must cultivate specialized expertise in API security to meet the rising demand for these services. This encompasses providing API discovery, posture governance and threat protection capabilities.”
In addition, MSSPs need to be on top of changes in the regulatory and compliance environment associated with securing the software supply chain and sanctions enforcement and provide detailed reports to clients about their security posture and compliance status. They should also be ready to deliver thorough reports to clients regarding their security posture and compliance status and to collaborate with the government and others in the security industry as well as engage in industry initiatives to keep updated on emerging threats and best practices.
Jason Soroko, Senior Fellow at Sectigo, which provides certificate lifecycle management, told MSSP Alert that the EO “raises the bar for MSSPs managing federal cybersecurity,” noting the stricter requirements around quantum-resistant encryption, end-to-end secure development, continuous monitoring, rapid incident response, and rigorous patch management.
They also need to be aware of the risks of non-compliance risks, including the loss of contracts or legal and financial penalties.
“Yet, these tougher standards also create opportunities,” Soroko said. “By aligning services with the order’s directives – especially AI-driven threat detection, secure software supply chain management, and quantum-safe encryption –, MSSPs can become important partners for government and commercial clients seeking stronger, future-proof cybersecurity.”
Biden and Cybersecurity
The EO was Biden’s second regarding cybersecurity, with the first coming just months into his term in May 2021. Multiple agencies, from CISA and the Justice Department to the Federal Trade Commission and Federal Communications Commission (FCC), took a hard stance against cyberthreats, particularly from foreign adversaries.
In the waning days of his administration, the focus continued, with the Treasury Department last week sanctioning a Chinese national for his role in a recent breach of the department’s network, and a Chinese cybersecurity company, Sichuan Juxinhe Network Technology Co., for its work with Salt Typhoon, a state-sponsored threat group that compromised the networks for multiple telecoms in the United States, including AT&T, Verizon, and T-Mobile.
In addition, the FCC announced the intention to create stronger requirements for telecoms to strengthen their defenses against such intrusions, with outgoing Chairwoman Jessica Rosenworcel outlining the urgency.
At the FCC, “we now have a choice to make,” Rosenworcel said in a statement. “We can turn the other way and hope this threat goes away. But hope is not a plan. Leaving old policies in place when we know what new risks look like is not smart. Today, in light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern.”
Uncertain Future for the EO
It's to be seen if Biden’s EO – as well as the FCC’s rulemaking proposal and other actions taking by the federal government over the past four years – will survive the incoming Trump Administration, which takes over Monday.
“Despite the strong chance that the order will be promptly reversed with the administration change, this EO is a clear effort to ensure that the core cybersecurity, safety, and international relations equities conclusions developed over the past four years are a part of the U.S. policy zeitgeist,” said Casey Ellis, founder of crowdsource cybersecurity company Bugcrowd.
Andrew Borene, executive director of global security for Flashpoint and a former senior official with the Office of the Director of National Intelligence (ODNI), said the EO “reflects a broader understanding that cybersecurity is no longer just a technical issue, but a national security imperative. However, its true impact will depend on whether the next administration builds on these efforts. Cybersecurity transcends partisanship; it’s a constant race between defense and evolving threats.”
