{"id":218657,"date":"2025-01-16T21:44:35","date_gmt":"2025-01-16T21:44:35","guid":{"rendered":"https:\/\/www.internetsociety.org\/?p=218657"},"modified":"2025-12-01T17:15:30","modified_gmt":"2025-12-01T17:15:30","slug":"todays-us-executive-order-is-a-serious-win-for-cybersecurity","status":"publish","type":"post","link":"https:\/\/www.internetsociety.org\/blog\/2025\/01\/todays-us-executive-order-is-a-serious-win-for-cybersecurity\/","title":{"rendered":"Today\u2019s US Executive Order is a Serious Win for Cybersecurity"},"content":{"rendered":"\n

The United States government is taking a major leap forward for cybersecurity. The\u00a0newly released Executive Order on Strengthening and Promoting Innovation in the Nation\u2019s Cybersecurity<\/a>\u00a0calls on the US government to improve the security of its own systems.\u00a0New cybersecurity procurement requirements for federal contractors will have a broad impact by leveraging the \u201cpower of the purse\u201d to drive market demand for strong cybersecurity.<\/p>\n\n\n\n

While a big step forward, the executive order is also a clear example of the increasing focus the US federal government has placed on cybersecurity over the course of two different administrations. Since 2016, there have been at least ten cybersecurity-related executive orders. This one from today directly builds from a previous order from 2021<\/a>, but it also builds off others in less direct ways. For instance, a 2017 executive order<\/a> spurred work to combat botnets, helping drive awareness of routing security issues among the private sector and government and eventually leading to the routing security requirements seen in today\u2019s executive order. <\/p>\n\n\n\n

The breadth of topics covered is impressive, and far too many to review in a single blog post, so we will focus on a few that we at the Internet Society are especially excited about:<\/p>\n\n\n\n

Routing Security<\/h4>\n\n\n\n

The\u00a0executive order directs\u00a0US government agencies to sign contracts with\u00a0the American Registry for Internet Numbers (ARIN)\u00a0and then to create and publish Route Origin Authorizations (ROAs) using Resource Public Key Infrastructure (RPKI). ROAs cryptographically validate route announcements, allowing other network operators to help avoid routing incidents.\u00a0<\/p>\n\n\n\n

In May of 2024, we pointed out that\u00a0\u201conly around 1% of routes from US government-run networks could be verified with RPKI<\/a>,\u201d\u00a0so the new measures will be a huge leap forward. Additionally, the executive order calls for the development of new procurement requirements for federal contractors, which would require these vendors to register ROAs and also implement Route Origin Validation (ROV). ROV uses ROAs to filter out invalid routing announcements and avoid routing incidents.\u00a0<\/p>\n\n\n\n

Through our support of the Mutually Agreed Norms for Routing Security (MANRS<\/a>) initiative, we\u2019ve worked to develop strong routing security as a competitive differentiator to incentivize industry to tackle this problem. Making routing security a procurement requirement provides a big boost toward shaping market demand.<\/p>\n\n\n\n

End-to-end Encryption<\/h4>\n\n\n\n

The order requires strong encryption for federal government communications, including email, voice, and video conferencing systems. This includes using transport encryption and end-to-end encryption by default where possible while still logging and archiving communications. The order also acknowledges strong encryption as a cybersecurity best practice. <\/p>\n\n\n\n

This is welcome guidance that will help set an important baseline for adopting encryption by default to protect the privacy and security of government communications, guarding against interception by adversaries.<\/p>\n\n\n\n

Domain Name System Security<\/h4>\n\n\n\n

The order will make the support and enabling of encrypted domain name system (DNS) protocols a requirement both for government agencies but also a procurement requirement for any product acting as a DNS resolver for federal agencies. The domain name system (DNS) serves as a directory lookup for the Internet, making it easier for humans to navigate the Internet and making it easier for services online to achieve high resilience. <\/p>\n\n\n\n

By implementing encrypted DNS and making it a procurement requirement, the US government will better protect the security and confidentiality of its users. It will also help shape the market for secure DNS, increasing the use of secure DNS in the private sector. <\/p>\n\n\n\n

Transport Layer Security<\/h4>\n\n\n\n

The order requires US government agencies to support Transport Layer Security protocol version 1.3 (TLS 1.3) or a successor version \u201cas soon as practicable,\u201d but no later than 2 January, 2030. TLS is an Internet standard, developed at the Internet Engineering Task Force (IETF),\u00a0used to prevent eavesdropping, tampering, and message forgery for various Internet applications.\u00a0<\/p>\n\n\n\n

TLS 1.3 addresses<\/a> known problems with the previous versions and improves security and performance. By committing to implementing TLS 1.3, the US government not only will improve the security of their own networks, but provide a vote of confidence in TLS 1.3. Leading by example can help other governments and those in the private sector embrace implementing TLS 1.3 as well.\u00a0<\/p>\n\n\n\n

The security of the Internet relies on countless stakeholders taking action against the challenges that lie closest to them. When a big player like the US government embraces cybersecurity best practices to take on cybersecurity challenges in their own corner of the Internet, it creates a positive feedback loop that will lead to even wider implementation among stakeholders. <\/p>\n\n\n\n

Today\u2019s executive order on cybersecurity is a big moment and the Internet Society is excited to be a resource to the US government as it puts this executive order into action. <\/p>\n\n\n\n

Learn more about the technologies that enable the Internet to safely grow and evolve at\u00a0Internet Society Pulse.<\/a><\/h5>\n\n\n\n
\n\n\n\n

Image \u00a9 Photo by\u00a0Nils Huenerfuerst<\/a>\u00a0on\u00a0Unsplash<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

The United States government is taking a major leap forward for cybersecurity. The\u00a0newly released Executive Order on Strengthening and Promoting Innovation in the Nation\u2019s Cybersecurity\u00a0calls on the US government to improve the security of its own systems.\u00a0<\/p>\n","protected":false},"author":1029,"featured_media":218658,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_uag_custom_page_level_css":"","footnotes":""},"categories":[40,98,4898,4738],"tags":[782,6211],"region_news_regions":[37],"content_category":[6085],"ppma_author":[4063,5955],"class_list":["post-218657","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-encryption","category-public-policy","category-strong-internet","category-security-1","tag-routing-security","tag-tls","region_news_regions-north-america","content_category-blog-type"],"acf":[],"uagb_featured_image_src":{"full":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House.jpg",1200,550,false],"thumbnail":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-150x150.jpg",150,150,true],"medium":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-450x206.jpg",450,206,true],"medium_large":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-768x352.jpg",768,352,true],"large":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-1024x469.jpg",1024,469,true],"1536x1536":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House.jpg",1200,550,false],"2048x2048":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House.jpg",1200,550,false],"post-thumbnail":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-250x115.jpg",250,115,true],"square":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-600x550.jpg",600,550,true],"gform-image-choice-sm":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-300x300.jpg",300,300,true],"gform-image-choice-md":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-400x400.jpg",400,400,true],"gform-image-choice-lg":["https:\/\/www.internetsociety.org\/wp-content\/uploads\/2025\/01\/US-White-House-600x550.jpg",600,550,true]},"uagb_author_info":{"display_name":"Ryan Polk","author_link":"https:\/\/www.internetsociety.org\/author\/polk\/"},"uagb_comment_info":0,"uagb_excerpt":"The United States government is taking a major leap forward for cybersecurity. The\u00a0newly released Executive Order on Strengthening and Promoting Innovation in the Nation\u2019s Cybersecurity\u00a0calls on the US government to improve the security of its own systems.\u00a0","authors":[{"term_id":4063,"user_id":1029,"is_guest":0,"slug":"polk","display_name":"Ryan Polk","avatar_url":{"url":"https:\/\/www.internetsociety.org\/wp-content\/uploads\/2022\/06\/Ryan-Polk.jpg","url2x":"https:\/\/www.internetsociety.org\/wp-content\/uploads\/2022\/06\/Ryan-Polk.jpg"},"author_category":"","last_name":"Polk","first_name":"Ryan Polk","job_title":"","user_url":"","description":""},{"term_id":5955,"user_id":1850,"is_guest":0,"slug":"perrino","display_name":"John Perrino","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/8eea754b8d9ed7444d5f649f20dbdfd76186af86a9dd7fa3298e08e8049fb666?s=96&d=mm&r=g","author_category":"","last_name":"Perrino","first_name":"John","job_title":"","user_url":"","description":""}],"_links":{"self":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/posts\/218657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/users\/1029"}],"replies":[{"embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/comments?post=218657"}],"version-history":[{"count":0,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/posts\/218657\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/media\/218658"}],"wp:attachment":[{"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/media?parent=218657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/categories?post=218657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/tags?post=218657"},{"taxonomy":"region_news_regions","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/region_news_regions?post=218657"},{"taxonomy":"content_category","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/content_category?post=218657"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.internetsociety.org\/wp-json\/wp\/v2\/ppma_author?post=218657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}