Last May, the Biden administration issued its Executive Order on Improving the Nation’s Cybersecurity. Released with much fanfare in the immediate aftermath of the Colonial Pipeline ransomware attack and shutdown—and resultant gas station lines and price spikes—it contained some positive features. But, as I cautioned at the time, in many respects it unfortunately represented a “missed opportunity.”
Twelve months later, I can look back and say in hindsight that I only had it partly right—the executive order was a missed opportunity in some ways. However, I was also partly wrong. There have been some positive security outcomes—to some degree due to the EO—that were not so readily apparent at the time.
When the White House issued the EO, I voiced concern that it primarily focused on federal agency cybersecurity and did not adequately address improving cybersecurity in the sixteen critical infrastructure sectors established previously by the Department of Homeland Security. I recognize actual mandates on the private sector would have generated significant and likely insurmountable political—or even legal—pushback. Still, I would have preferred the order to have, at minimum, included concrete incentives for private owners and operators of critical infrastructure to adopt the NIST Cybersecurity Framework, to help them establish better cyber risk management programs to identify, prioritize and manage implementation of essential best practices to strengthen cyber hygiene.
Despite these reservations about what the EO did not do, I am glad to say that, in the past year since the EO’s release, the Biden administration has stepped up in various other ways.
First, the government has been a consistent and vocal force, urging the various critical infrastructure sectors to do more to protect themselves in cyberspace and promoting initiatives that encourage threat information sharing. It has also provided specific cybersecurity guidance to private companies of all sizes in industries it believes are in the crosshairs of malicious actors, including Russian-affiliated hackers.
More specifically, the Cybersecurity and Infrastructure Security Agency, supported by other federal agencies, has continued to update cybersecurity warnings based on evolving threat intelligence. It has stressed the need for organizations to practice good cyber hygiene, and to adopt and follow best cybersecurity practices. To that end, CISA has also posted some basic, but still solid, recommendations for both the private sector and for individuals on the website for its “Shields-Up” campaign.
The government’s pleas for cyber vigilance have become even more urgent in recent months, due to intelligence showing potential Russian threats to retaliate—in response to American support for Ukraine—against U.S. interests. The White House has provided confidential briefings to critical infrastructure firms that the U.S. believes are likely targets for Russian-backed hackers, based on intelligence sources. While public-private collaboration was mentioned in the May 2021 EO without much specificity, in practice, the federal government has filled in that gap with some tangible actions.
Second, the EO directed federal agencies to develop a plan to implement zero trust architecture, update plans to prioritize resources for the adoption and use of cloud technology and, where practicable, adopt zero trust as part of this migration to the cloud. The Biden administration has followed up on this by giving specific direction to federal agencies to move more aggressively to adopt cloud computing and zero trust architecture. The White House has also made specific requests for funding in the FY 2023 budget, designed to meet the EO’s goal of further pushing departments and agencies toward zero trust. In fact, zero trust is a common thread throughout the budget request sent to Congress this spring.
Finally, the cyber EO included a very detailed, prescriptive section that began a process to prohibit agencies from buying software not meeting new security guidelines—securely designed and maintained—and the administration has followed through on that commitment. In February, NIST provided the guidelines called for by the EO via an update to its Secure Software Development Framework. Thirty days later, OMB required agencies to begin taking immediate action to follow the revised NIST framework.
Subsequently, NIST has now also issued its first revision to Special Publication 800-161, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” providing updated guidance for software security throughout the supply chain, not just for software purchased by the government. This update, referenced in the original EO guidance NIST published in February, continues to show that this important component of the EO has not been delayed by bureaucratic inertia or lack of interest. Moreover, it shows how the government is extending the EO’s impact beyond the federal space and into the private sector.
Looking back, while the cybersecurity executive order itself did not directly address longstanding critical infrastructure vulnerabilities, the government has taken action in other ways—some based on the direction and tone of the EO and some in response to events—to assist private sector cybersecurity. It is clear the government has also been following through on the promise of the EO to improve federal cybersecurity. But with constantly evolving threats from bad actors all over the world, the U.S. must keep this effort up in order to continue to be able to respond to new and unforeseen challenges and threats in cyberspace to the public and private sectors.
Robert DuPree is manager of government affairs at Telos Corporation, a position he has held since 2008. He is responsible for monitoring, analyzing and reporting on legislative and political developments in the U.S. Congress and the executive branch. He serves as a liaison for Telos Corporation with public officials at the congressional and state levels. Prior to joining Telos, Robert worked in Washington, D.C., for over two decades, serving as legislative director for a senior member of the U.S. House of Representatives and then as a government relations professional and senior executive with a national manufacturing trade association.