Last May, the Biden administration issued its own Executive order to improve the nation’s cybersecurity. Released with a lot of noise immediately after the attack and the stoppage of the Colonial Pipeline ransom – and the resulting petrol station lines and price spikes – it has some positive features. But, as I warned then, in many ways this is unfortunately a ‘missed opportunity’.
Twelve months later, I can look back and say in retrospect that I am only partially correct – the executive order it was missed opportunity in some respects. In part, however, I was wrong. There were some positive security outcomes – thanks in part to EO – which were not so obvious at the time.
When the White House issued the EO, I expressed concern that it focused primarily on the federal agency’s cybersecurity and did not adequately address cybersecurity improvements in the sixteen critical infrastructure sectors previously created by the Department of Homeland Security. I recognize that actual mandates in the private sector would generate significant and probably insurmountable political – or even legal – repulsion. However, I would prefer the contract to include at least specific incentives for private owners and critical infrastructure operators to adopt NIST’s cybersecurity framework to help them establish better cyber risk management programs to identify, prioritize and manage implementation. of essential best practices for strengthening cyber hygiene.
Despite these reservations about what the EC has done no yes, I am glad to say that in the last year since the release of the EO, the Biden administration has strengthened in various other ways.
First, the government is a consistent and vocal force that calls on the various sectors of critical infrastructure to do more to protect themselves in cyberspace and encourages initiatives that promote the sharing of threat information. It has also provided specific cybersecurity guidelines to private companies of all sizes in industries that it believes are being targeted by malicious actors, including Russian-related hackers.
In particular, the Agency for Cyber Security and Infrastructure Security, supported by other federal agencies, continued to update cybersecurity warnings based on evolving threat intelligence. He stressed the need for organizations to practice good cyber hygiene and to adopt and follow cybersecurity best practices. To this end, CISA also publishes some basic but solid recommendations for both the private sector and for individuals on the website for him Shields-Up Campaign..
The government’s calls for cyber-vigilance have become even more urgent in recent months due to intelligence showing potential Russian threats of revenge – in response to US support for Ukraine – against US interests. The White House has provided confidential briefings to critical infrastructure companies that the United States believes are likely targets for Russian-backed hackers, based on intelligence sources. While public-private cooperation has been mentioned in the EC since May 2021 without much specificity, in practice the federal government has filled this gap with some tangible action.
Second, the EO instructed federal agencies to develop a plan to implement a zero-confidence architecture, update plans to prioritize resources for the adoption and use of cloud technologies, and, where possible, adopt zero confidence as part of this migration to the cloud. The Biden administration followed suit, giving specific guidance to federal agencies to move more aggressively to adopt cloud computing and zero-confidence architecture. The White House has also made specific requests for funding in the budget for the financial year 2023, designed to meet the EC’s goal of further pushing departments and agencies to zero confidence. In fact, zero confidence is a common thread in the budget request sent to Congress this spring.
Finally, the cyber EO included a very detailed, prescriptive section that launched a process to ban agencies from buying software that does not meet the new security guidelines – designed and maintained securely – and the administration has fulfilled that commitment. In February, NIST provided the guidance requested by the EC through an update its framework for secure software development. Thirty days later, OMB asked the agencies to take immediate action to follow NIST’s revised framework.
Subsequently, NIST also issued its first revision to Special Publication 800-161, “Cyber-Supply Risk Management Practices for Systems and Organizations”, providing up-to-date software security guidelines throughout the supply chain, not just government-purchased software. This update, mentioned in the original EO guide, published in February, continues to show that this important component of EO is not slowed down by bureaucratic inertia or lack of interest. It also shows how the government is expanding the influence of EO outside the federal space and in the private sector.
Looking back, while the Cyber Security Enforcement Order itself does not directly address the long-standing vulnerabilities of critical infrastructure, the government has taken action in other ways – some based on EC direction and tone, and others in response – to support private sector cybersecurity. It is clear that the government has also fulfilled the EO’s promise to improve federal cybersecurity. But with the ever-evolving threats of bad actors around the world, the United States must continue these efforts to continue to meet new and unforeseen challenges and threats in cyberspace for the public and private sectors.
Robert Dupree is Government Affairs Manager at Telos Corporation, a position he has held since 2008. He is responsible for monitoring, analyzing and reporting on legislative and political changes in the US Congress and the executive branch. He serves as a liaison for Telos Corporation with government and state officials. Prior to joining Telos, Robert worked in Washington, DC, for more than two decades, serving as Legislative Director for Senior Member of the US House of Representatives and then as a Government Relations Professional and Senior Executive Director in the National production trade association.