About Biden's Last Executive Order on Cybersecurity
2025-01-19
The Biden administation has issued a last Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity on January 16th. While a U.S.-centric document, this EO has several implications for Europe - particularly for our aspirations of achieving digital sovereignty and fostering a thriving, open, and secure digital ecosystem - that we must discuss. Additionnally, we must analyze this EO not just in the context of the previous administration but through the lens of the new reality: President Trump's second term begins today.
At the EuroStack Initiative, we've carefully analyzed this EO. While we see both areas of alignment and potential concern, one aspect stands out as a clear call to action for Europe: the surprisingly positive stance on open source software.
A Transatlantic Convergence on Open Source?
The EO's recognition of open source as a strategic asset for innovation and security (Section 2(e)) is a significant development:
(e) Open source software plays a critical role in Federal information systems. To help the Federal Government continue to reap the innovation and cost benefits of open source software and contribute to the cybersecurity of the open source software ecosystem, agencies must better manage their use of open source software. Within 120 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, and the Director of OMB, in consultation with the Administrator of General Services and the heads of other agencies as appropriate, shall jointly issue recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects.
It acknowledges the challenges of insecure software but also highlights the benefits of better managing the use of open source in Federal systems, promoting security assessments, and supporting best practices for contributing to open source projects. We take it as a validation of the EuroStack's core belief in open source as a cornerstone of European digital independence.
This positive stance on open source from the U.S. should reinforce our call for the EU: Now is the time to reinforce our own commitment to open source, not just as a technological choice, but as a strategic imperative for our digital future. We must build upon existing initiatives like the European Commission's Open Source Strategy (2020-2023) and move decisively towards an "Open Source First" approach across public procurement, research, and development, as advocated by the EuroStack Initiative.
The EO Through a Multifaceted European Lens: Ally, Competitor, and the Reality of a Second Trump Administration
We must view this EO through a nuanced lens, recognizing the U.S. as both a vital security ally and a major economic competitor in the digital sector. Moreover, we must now interpret this EO within the context of a new Trump administration, which adds a layer of significant uncertainty.
As Europeans, we must ask ourselves three crucial questions.
1. How will this complex relationship with the U.S. in the cybersecurity domain evolve, particularly now that President Trump has taken office?
We share common security concerns, especially regarding state-sponsored cyber threats. However, the EO's potential economic implications, particularly for European SMEs, cannot be ignored.
The previous Trump administration was characterized by a protectionist approach, often leading to tensions with European allies. While the EO was issued under the Biden administration, its implementation will fall under the new Trump administration. This raises several concerns:
- Potential for Increased Protectionism: There's a real risk that the EO's provisions, particularly those related to software attestations and CISA oversight, could be used to favor U.S. companies and create barriers for European businesses under the guise of national security.
- Unpredictability: The first Trump administration was known for its unpredictable foreign policy. This makes it difficult to anticipate how the new administration will approach cybersecurity cooperation with Europe. It's possible that existing transatlantic partnerships could be deprioritized or even undermined, and that existing sources of tension could be exacerbated.
- Weaponization of Cybersecurity: There's a concern that cybersecurity could become further politicized and weaponized in trade disputes. The EO's provisions could be used as leverage in broader negotiations, putting European companies at a disadvantage.
However, a more inward-looking U.S. might also present an opportunity for Europe to assert its leadership in digital policy and champion a values-based approach to technology, attracting partners who share our commitment to privacy, security, and open standards.
The uncertainty underscores the urgency of strengthening European digital sovereignty. We cannot rely solely on the goodwill of our allies; we must build our own resilient and independent digital ecosystem.
2. What are the concrete implications for European companies exporting digital technologies to the U.S.?
The EO's requirements for software attestations and artifact submission to CISA (Section 2(b)(i-vi)) create a significant compliance burden.
- Increased Costs and Bureaucracy: European companies, especially SMEs, will face increased costs associated with meeting the EO's requirements. They will need to invest in legal expertise, technical capabilities, and administrative processes to comply with the attestation and artifact submission process. This could divert resources away from innovation and growth.
- Potential for Market Exclusion: Companies that struggle to meet the EO's requirements, or whose software is deemed insecure by CISA, could face exclusion from the U.S. government market. This could have a chilling effect on European companies' willingness to export to the U.S., particularly for those heavily reliant on government contracts. The reputational damage from being publicly labeled as non-compliant could also be significant.
- Data Security and Privacy Concerns: The requirement to submit detailed software information to a U.S. government repository raises concerns about data security and potential unauthorized access. European companies are also subject to strict data protection regulations under the GDPR. They will need to carefully assess whether compliance with the EO's data submission requirements is compatible with their obligations under EU law. The potential for conflicts between U.S. demands and European data protection principles is a serious concern.
- Disproportionate Impact on SMEs: SMEs, which often lack the resources of larger corporations, will be disproportionately affected by the EO's requirements. This could stifle innovation and reduce competition in the market, ultimately harming both European and U.S. interests.
- Uncertainty and Legal Risks: The provision allowing the National Cyber Director to publicly disclose validation results and refer failed attestations to the Attorney General creates uncertainty and potential legal risks for companies. The lack of clear guidelines and the potential for arbitrary decisions could deter European companies from entering the U.S. market or lead them to adopt overly cautious approaches that stifle innovation.
We must ensure that European companies, especially SMEs, are not unfairly disadvantaged. The EU needs to engage with the new U.S. administration to clarify the implementation of the EO and advocate for a more balanced approach that takes into account the interests of European businesses. We also need to explore mechanisms to support European SMEs in meeting these new requirements, such as providing guidance, training, and potentially financial assistance.
3. How does this EO compare to the EU's own Cyber Resilience Act (CRA), and what can we learn from each other?
This is a crucial question for shaping our path forward. Here's a comparison:
| Feature | U.S. Executive Order | EU Cyber Resilience Act |
|---|---|---|
| Scope | Primarily focuses on software procured by the U.S. Federal Government and used in critical infrastructure. | Broader scope, covering a wide range of digital products and services placed on the EU market. |
| Approach | Centralized and prescriptive, with CISA playing a significant role in verifying attestations and validating software. | Relies more on self-assessment by manufacturers and conformity assessments by notified bodies, in line with the EU's New Legislative Framework. |
| Enforcement | Relies on existing procurement regulations and potential legal action by the Attorney General. | Establishes a framework for market surveillance and enforcement by national authorities, with the possibility of fines and other penalties for non-compliance. Includes Coordinated Vulnerability Disclosure |
| Open Source | Explicitly addresses open source software, recognizing its importance and calling for better management of its use in Federal systems. | Treatment of open source is more complex, with certain obligations potentially applying to entities that make open source software available on the market in the course of a commercial activity. |
| Data Sharing | Mandates the submission of software attestations and artifacts to a U.S. government repository (CISA's RSAA). | Does not include such a requirement. Includes provisions on reporting vulnerabilities and incidents to national authorities and CSIRTs. |
| Conformity Assessment | Does not create a formal conformity assessment scheme. Burden of proof lies with the software provider. | Creates a conformity assessment scheme with different levels of assurance, including third-party assessment for higher-risk products. |
The EO represents a targeted, government-centric approach to securing U.S. Federal systems, while the CRA is a broader, market-oriented regulation aimed at raising the cybersecurity baseline across the EU.
The CRA's approach, with its emphasis on self-assessment and conformity assessments, aligns more closely with the European tradition of co-regulation and industry involvement. It also places greater emphasis on a risk-based approach, which allows for more flexibility and proportionality.
However, the EO's strong stance on open source offers a valuable lesson for Europe. We should use this as an impetus to strengthen the CRA's provisions on open source, ensuring that it truly enables, rather than hinders, the use of open source solutions in Europe. The current ambiguity in the CRA regarding the responsibilities of open source developers and distributors needs to be addressed. We need clearer guidelines that encourage the use of open source while ensuring appropriate security measures are in place. There are also opportunities to explore a middle ground, such as a more streamlined process for open source projects to demonstrate security assurance, perhaps through a "lighter-touch" conformity assessment process or the development of specific security standards for open source components.
The Path Forward: Strengthening the EuroStack Vision
The U.S. Executive Order, despite its potential challenges, presents an opportunity for Europe to reaffirm its commitment to digital sovereignty and accelerate the development of a robust, open, and secure digital ecosystem. The EuroStack Initiative will be at the forefront of this effort, advocating for:
- A Stronger European Stance on Open Source: We need a clear and unequivocal "Open Source First" policy across the EU, coupled with concrete measures to support the development, maintenance, and security of critical open source projects. Public money must fund public code. We should establish new, or reinforce existing, dedicated funding programs for open source security audits and bug bounty programs.
- A European Cybersecurity Framework that Protects European Interests: We must ensure that any new cybersecurity measures, inspired by the EO or otherwise, do not inadvertently disadvantage European companies or compromise our values. This includes a careful consideration of data sovereignty, privacy, and due process concerns, particularly in light of the new U.S. administration's potential approach to these issues. We need to carefully consider how we approach the burden of proof related to security, ensuring that it does not create an overly burdensome or discriminatory system. The potential for using security as a pretext for protectionism must be actively addressed.
- Targeted Support for European SMEs: We must provide resources and support to help European SMEs adapt to increasingly complex cybersecurity imperatives and regulations and compete effectively on the global stage. This could include funding for cybersecurity training, support for implementing security best practices, and assistance in navigating international regulations.
- Constructive Transatlantic Dialogue: Despite the expected increased friction with the new U.S. administration, we must maintain an open and constructive dialogue with our U.S. counterparts, seeking common ground and collaborating on areas of mutual interest, such as the development of international cybersecurity standards. However, this dialogue must be based on a clear understanding of European interests and a willingness to defend them. We should not shy away from raising concerns about the potential negative impacts of U.S. policies on European businesses and citizens.
- A Focus on the Long Term, Not Just the Urgent: We cannot be reactive. The changing geopolitical climate - now including the known variable of a second Trump administration - means we must be proactive in building a resilient digital ecosystem for Europe. This requires long-term investments in research and development, skills training, and the development of a strong European cybersecurity industry.
The EuroStack Initiative believes that Europe can lead the way in building a digital future that is both secure and open, based on our shared values of democracy, transparency, and collaboration. Let us seize this moment to strengthen our resolve, reinforce our commitment to open source, and build a truly sovereign European digital future. We must not be caught flat-footed by the policies of other nations but must proactively shape our own destiny.