The United States government is taking a major leap forward for cybersecurity. The newly released Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity calls on the US government to improve the security of its own systems. New cybersecurity procurement requirements for federal contractors will have a broad impact by leveraging the “power of the purse” to drive market demand for strong cybersecurity.
While a big step forward, the executive order is also a clear example of the increasing focus the US federal government has placed on cybersecurity over the course of two different administrations. Since 2016, there have been at least ten cybersecurity-related executive orders. This one from today directly builds from a previous order from 2021, but it also builds off others in less direct ways. For instance, a 2017 executive order spurred work to combat botnets, helping drive awareness of routing security issues among the private sector and government and eventually leading to the routing security requirements seen in today’s executive order.
The breadth of topics covered is impressive, and far too many to review in a single blog post, so we will focus on a few that we at the Internet Society are especially excited about:
Routing Security
The executive order directs US government agencies to sign contracts with the American Registry for Internet Numbers (ARIN) and then to create and publish Route Origin Authorizations (ROAs) using Resource Public Key Infrastructure (RPKI). ROAs cryptographically validate route announcements, allowing other network operators to help avoid routing incidents.
In May of 2024, we pointed out that “only around 1% of routes from US government-run networks could be verified with RPKI,” so the new measures will be a huge leap forward. Additionally, the executive order calls for the development of new procurement requirements for federal contractors, which would require these vendors to register ROAs and also implement Route Origin Validation (ROV). ROV uses ROAs to filter out invalid routing announcements and avoid routing incidents.
Through our support of the Mutually Agreed Norms for Routing Security (MANRS) initiative, we’ve worked to develop strong routing security as a competitive differentiator to incentivize industry to tackle this problem. Making routing security a procurement requirement provides a big boost toward shaping market demand.
End-to-end Encryption
The order requires strong encryption for federal government communications, including email, voice, and video conferencing systems. This includes using transport encryption and end-to-end encryption by default where possible while still logging and archiving communications. The order also acknowledges strong encryption as a cybersecurity best practice.
This is welcome guidance that will help set an important baseline for adopting encryption by default to protect the privacy and security of government communications, guarding against interception by adversaries.
Domain Name System Security
The order will make the support and enabling of encrypted domain name system (DNS) protocols a requirement both for government agencies but also a procurement requirement for any product acting as a DNS resolver for federal agencies. The domain name system (DNS) serves as a directory lookup for the Internet, making it easier for humans to navigate the Internet and making it easier for services online to achieve high resilience.
By implementing encrypted DNS and making it a procurement requirement, the US government will better protect the security and confidentiality of its users. It will also help shape the market for secure DNS, increasing the use of secure DNS in the private sector.
Transport Layer Security
The order requires US government agencies to support Transport Layer Security protocol version 1.3 (TLS 1.3) or a successor version “as soon as practicable,” but no later than 2 January, 2030. TLS is an Internet standard, developed at the Internet Engineering Task Force (IETF), used to prevent eavesdropping, tampering, and message forgery for various Internet applications.
TLS 1.3 addresses known problems with the previous versions and improves security and performance. By committing to implementing TLS 1.3, the US government not only will improve the security of their own networks, but provide a vote of confidence in TLS 1.3. Leading by example can help other governments and those in the private sector embrace implementing TLS 1.3 as well.
The security of the Internet relies on countless stakeholders taking action against the challenges that lie closest to them. When a big player like the US government embraces cybersecurity best practices to take on cybersecurity challenges in their own corner of the Internet, it creates a positive feedback loop that will lead to even wider implementation among stakeholders.
Today’s executive order on cybersecurity is a big moment and the Internet Society is excited to be a resource to the US government as it puts this executive order into action.
Learn more about the technologies that enable the Internet to safely grow and evolve at Internet Society Pulse.
Image © Photo by Nils Huenerfuerst on Unsplash