The Cybersecurity Executive Order Is a Missed Opportunity

Very late Wednesday (after the markets closed but in time to make the evening news), the Biden administration unveiled its long-awaited cybersecurity executive order. Cybersecurity professionals are providing an array of instant analysis of the executive order and its benefits from their perspective. Yet from a public policy perspective, the order represents a missed opportunity to address long-standing critical infrastructure vulnerabilities.

Much of the U.S. this week has been feeling the immediate repercussions of the ransomware attack against Colonial Pipeline, which resulted in the company shutting down its energy distribution network, affecting states from New England to Texas. There has been panic buying of gasoline, leading to widely viewed images of long lines at the pumps and growing fuel shortages. 

Many media reports swiftly branded the new executive order as a “response” to the Colonial breach. It’s nothing of the sort. But Colonial Pipeline is just the most recent example of a huge problem, which the experts have warned about for years and which could have also been addressed by this order.  

Critical Infrastructure in the Crosshairs

Since mid-March, cybersecurity and public policy pros alike have been anticipating the promised executive order on cybersecurity from the new administration. It became a running gag among pundits that the order was “imminent” for over two months. Given the discoveries of the SolarWinds, Microsoft Exchange Server and Pulse Connect Secure hacks; the local water system breach in Florida; and other events, such an order was viewed as a way for the Biden White House to make a definitive statement on its plans to boost our nation’s cyber defenses.

This executive order had been in the works for months, and had been amended and tweaked and put through the final review process. But the Colonial Pipeline hack and news coverage of its impact altered the public dynamic just as it was ready to be released. Viral videos of cars waiting in line and people irrationally putting gasoline in any container they could find forced the White House to swiftly issue the order on May 12, along with some last-minute additional language in the accompanying fact sheet that acknowledged this most recent attack against our nation’s critical infrastructure. 

Focus Only on Government Technology

But in reality, this executive order is designed to strengthen federal cybersecurity, not that of the private sector, including critical infrastructure providers. There is nothing in the executive order itself directly addressing critical infrastructure security.  In a 34-page executive order with over 8,000 words, I expected at least some mention of critical infrastructure.

It has been pointed out that the order’s requirements for stricter cybersecurity standards for software vendors who sell to the government should ultimately strengthen the security of software sold to non-government customers. But that will take time and lacks certainty. 

Encouragement Is Good; Incentives Are Better

The fact sheet accompanying President Biden’s new executive order even raises the issue of how our nation’s critical infrastructure needs stronger cyber protections, but it then pivots to say it’s the private sector’s responsibility to take action. It only “encourage(s) private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”  

I would like to have seen language in the order itself to not just encourage but to actively incentivize the private owners and operators of such systems to adopt the NIST Cybersecurity Framework, air gap their systems and take other basic steps to better protect themselves from attack. To the public and our nation’s economy, these aren’t just privately owned companies, they are America’s critical infrastructure. And to the nation, critical really does mean “vital.”

The executive order is not bad. Far from it. Cybersecurity experts are already highlighting its positive features for the federal government—accelerating agencies’ move to the cloud, zero trust, multifactor authentication, information sharing, etc. 

But it could have been more. The order missed a golden opportunity to directly address vulnerabilities in America’s critical infrastructure. Now we will have to wait for the improvements mandated for the federal government and its suppliers to trickle down to the private sector, including our nation’s “critical” infrastructure.

Robert DuPree is manager of government affairs at Telos Corporation.