On January 16th, 2025, President Joe Biden signed a comprehensive executive order aimed at bolstering the United States’ cybersecurity infrastructure. This directive introduces several key measures to enhance the nation’s defense against evolving cyber threats.
This executive order, titled “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity”, represents a significant step in strengthening the nation’s cybersecurity posture, addressing current challenges, and preparing for future technological developments. Its implementation is expected to have lasting impacts on how the United States safeguards its digital infrastructure.
The executive order is prescient and outlines an appropriate response to the contemporary cybersecurity threats facing the Nation. Yet, execution of the described strategy falls to the tasked agencies and broader software industry.
Suppliers both inside and out of the federal government should seek out innovative cybersecurity technologies; reliance on conventional approaches are likely to fall short in the face of emerging threats.
Executive Order 14144: Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity”
- Strengthening Cybersecurity Standards: Mandates stringent standards for federal agencies, contractors; ensures vendors uphold secure software practices.
- Leveraging Artificial Intelligence (AI): Establishes AI defense program in the Department of Defense; pilots AI for energy sector infrastructure protection.
- Advancing Quantum-Resistant Encryption: Accelerates shift to post-quantum cryptography; prepares agencies against quantum threats.
- Enhancing Sanctions Against Cyber Threats: Updates sanctions to target foreign cyber attackers; lowers thresholds for ransomware sanctions.
- Securing Space Systems and IoT Devices: Sets cybersecurity requirements for space assets; enhances IoT security standards.
- Overall Goal: Strengthens national cybersecurity; addresses technological challenges.
Innovations for the Nation’s Cybersecurity
The Small Business Innovation Research (SBIR) / Small Business Technology Transfer (STTR) Program is one way the Government successfully invests in cybersecurity innovation to protect the nation. Through the SBIR/STTR programs, “America’s Seed Fund” awards non-dilutive funding to develop technology and chart a path toward commercialization Since 1982, SBIR funding has moved countless ideas from tiny sparks into transformative technologies.
As a case in point, the following showcases mostly SBIR-funded cybersecurity innovations directly supporting the requirements of the EO. ObjectSecurity stands ready to aid in fulfilling the goals outlined in this executive order, helping protect the nation against cyber threats.
Emerging Tech to Detect/Combat Software Vulnerabilities
As stated by the President:
“…promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies…and with[in] the private sector are especially critical to improvement of the Nation’s cybersecurity.”
Based on our DoD-funded research, our recent groundbreaking progress in the area of automated, advanced binary analysis represents an outstanding opportunity to enhance the Nation’s cybersecurity. ObjectSecurity’s BinLens™ has been designed to analyze device binaries (incl. device firmware) to identify zero-day vulnerabilities in software binaries with high accuracy. It employs advanced technical innovations, including symbolic execution, to detect issues such as memory-safety violations, stack and heap overflows, cryptographic weaknesses, and other forms of undefined behavior across numerous CPU architectures.
“The Biden White House is also launching a partnership with the private sector to develop tools…to better secure the energy sector, specifically by scanning for vulnerabilities and automatically suggesting potential patches.”
Unlike traditional SAST and source-code scanning tools, BinLens automates key manual reverse engineering tasks like static analysis, disassembly, and decompilation. Using symbolic execution, BinLens delivers a significantly lower false-positive rate than competing tools. It does not rely solely on known vulnerabilities, as many SBOM and software composition analysis tools do. Low false positives are critical for cyber security teams so the limited resources can be focused on what really matters.
Ensuring Software Vendor Accountability
As stated in the Executive Order, software vendors negligent in their care for cybersecurity represent a critical gap in the Nation’s security.
“Software vendors who sell to the government will have to prove they’re using secure development practices to win and keep lucrative federal contracts. Standards for verifying compliance will be developed by the National Institute of Standards and Technology, or NIST. The executive order will also enforce cybersecurity standards for buying new space systems”
Secure software acquisition practices are critical because they ensure that the software used by organizations is free from vulnerabilities, malicious code, and other security risks. By evaluating software for secure development practices, organizations can prevent potential breaches, data leaks, and system compromises caused by flaws or hidden threats.
Although the executive order clarifies the problem, it presents only a partial look at the solution. How can we ensure software (and its vendors) are secure? By what metrics can security be measured?
Based on our NIST-funded research, ObjectSecurity’s vendor cyber-hygiene score website offers one method of conducting this measurement. With this early-stage website, ObjectSecurity seeks to design, develop, and release a novel scoring methodology to rank software/hardware vendors based upon the quality of their cyber-hygiene practices. By publishing vendor cyber scores to the public, we aim to incentivize software/hardware vendors to be more proactive in adopting better cybersecurity practices. We wish to foster a more transparent relationship between vendors and customers, one where both parties engage with the cybersecurity risks associated with the products they make and/or use.
“The Federal Government must continue to adopt secure software acquisition practices and take steps so that software providers use secure software development practices to reduce the number and severity of vulnerabilities in software they produce.”
In this way, ObjectSecurity’s approach is poised to address the threat negligent software vendors pose, by motivating them to adopt better secure software development practices. One objective is to influence future NIST guidelines and services such as the National Vulnerability Database (NVD) towards incentivization of good cybersecurity practices.
Securing AI Systems
The Executive Order addresses a critical concern about security gaps in increasingly wide-spread adoption of AI/ML systems:
“…prioritize…methods for designing secure AI systems; and methods for prevention, response, remediation, and recovery of cyber incidents involving AI systems.”
AI systems should be secured because they increasingly power critical applications, handle sensitive data, and make decisions that impact individuals, businesses, and governments. If compromised, AI systems can be manipulated to produce harmful outputs, leak confidential information, or disrupt essential services. Securing these systems ensures the integrity of their decision-making processes, protects against adversarial attacks, and maintains trust in their use. Additionally, as AI systems become more integrated into daily life, robust security is essential to prevent misuse, safeguard privacy, and mitigate risks from malicious actors exploiting vulnerabilities. Tools are needed that can analyze AI/ML systems to detect vulnerabilities.
ObjectSecurity has made great strides to support improving AI/ML cyber security: Based on our DoD-funded research, ObjectSecurity AI/ML Trust Analysis can be integrated into DevSecOps to prevent emerging security threats and ensure the compliance of AI models. Such models are rigorously tested in terms of their performance, sensitivity, and robustness under certain stress factors.
Conclusion
Many stakeholders who play a direct or indirect role in our nation’s cybersecurity are currently insufficiently incentivized to adopt available cybersecurity innovations, including those invested in by the Government under the SBIR/STTR Program. Executive Order 14144 is an important step in the right direction, acknowledging the critical need for the nation to move cybersecurity beyond conventional tools and approaches. Innovations in vulnerability scanning such as ObjectSecurity’s BinLens binary analysis product product directly address the Executive Order’s requirements with groundbreaking automated binary vulnerability analysis using symbolic execution. Efforts like the ObjectSecurity’s NCT vendor scoring SBIR research for NIST push software vendor accountability forward in innovative ways, and help pave the way forward for critical services such as the National Vulnerability Database (NVD). Furthermore AI/ML is currently being widely adopted (even in mission-critical and safety-critical applications), and needs to be secured better. Our SBIR-funded AI/ML Trust Analysis technology is a great example for an innovation that should be adopted rapidly to ensure vulnerabilities are detected. In conclusion, ObjectSecurity recommends stakeholders start actively looking for cybersecurity innovations now to be able to meet the requirements of the Executive Order, and to protect our Nation’s cybersecurity.
