The Cybersecurity Executive Order: From Missed Opportunity to Unexpected Progress

Maria Stavreva/Getty Images

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By Robert DuPree,
Manager of Government Affairs, Telos

By Robert DuPree

|

The impact of President Joe Biden’s cybersecurity executive order over the last year proved to go beyond initial expectations.

Last May, the Biden administration issued its Executive Order on Improving the Nation’s Cybersecurity. Released with much fanfare in the immediate aftermath of the Colonial Pipeline ransomware attack and shutdown—and resultant gas station lines and price spikes—it contained some positive features. But, as I cautioned at the time, in many respects it unfortunately represented a “missed opportunity.” 

Twelve months later, I can look back and say in hindsight that I only had it partly right—the executive order was a missed opportunity in some ways. However, I was also partly wrong.  There have been some positive security outcomes—to some degree due to the EO—that were not so readily apparent at the time.

When the White House issued the EO, I voiced concern that it primarily focused on federal agency cybersecurity and did not adequately address improving cybersecurity in the sixteen critical infrastructure sectors established previously by the Department of Homeland Security. I recognize actual mandates on the private sector would have generated significant and likely insurmountable political—or even legal—pushback. Still, I would have preferred the order to have, at minimum, included concrete incentives for private owners and operators of critical infrastructure to adopt the NIST Cybersecurity Framework, to help them establish better cyber risk management programs to identify, prioritize and manage implementation of essential best practices to strengthen cyber hygiene. 

Despite these reservations about what the EO did not do, I am glad to say that, in the past year since the EO’s release, the Biden administration has stepped up in various other ways. 

First, the government has been a consistent and vocal force, urging the various critical infrastructure sectors to do more to protect themselves in cyberspace and promoting initiatives that encourage threat information sharing. It has also provided specific cybersecurity guidance to private companies of all sizes in industries it believes are in the crosshairs of malicious actors, including Russian-affiliated hackers.

More specifically, the Cybersecurity and Infrastructure Security Agency, supported by other federal agencies, has continued to update cybersecurity warnings based on evolving threat intelligence. It has stressed the need for organizations to practice good cyber hygiene, and to adopt and follow best cybersecurity practices. To that end, CISA has also posted some basic, but still solid, recommendations for both the private sector and for individuals on the website for its “Shields-Up” campaign

The government’s pleas for cyber vigilance have become even more urgent in recent months, due to intelligence showing potential Russian threats to retaliate—in response to American support for Ukraine—against U.S. interests. The White House has provided confidential briefings to critical infrastructure firms that the U.S. believes are likely targets for Russian-backed hackers, based on intelligence sources. While public-private collaboration was mentioned in the May 2021 EO without much specificity, in practice, the federal government has filled in that gap with some tangible actions.  

Second, the EO directed federal agencies to develop a plan to implement zero trust architecture, update plans to prioritize resources for the adoption and use of cloud technology and, where practicable, adopt zero trust as part of this migration to the cloud. The Biden administration has followed up on this by giving specific direction to federal agencies to move more aggressively to adopt cloud computing and zero trust architecture. The White House has also made specific requests for funding in the FY 2023 budget, designed to meet the EO’s goal of further pushing departments and agencies toward zero trust. In fact, zero trust is a common thread throughout the budget request sent to Congress this spring.

Finally, the cyber EO included a very detailed, prescriptive section that began a process to prohibit agencies from buying software not meeting new security guidelines—securely designed and maintained—and the administration has followed through on that commitment. In February, NIST provided the guidelines called for by the EO via an update to its Secure Software Development Framework. Thirty days later, OMB required agencies to begin taking immediate action to follow the revised NIST framework. 

Subsequently, NIST has now also issued its first revision to Special Publication 800-161, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” providing updated guidance for software security throughout the supply chain, not just for software purchased by the government. This update, referenced in the original EO guidance NIST published in February, continues to show that this important component of the EO has not been delayed by bureaucratic inertia or lack of interest. Moreover, it shows how the government is extending the EO’s impact beyond the federal space and into the private sector.

Looking back, while the cybersecurity executive order itself did not directly address longstanding critical infrastructure vulnerabilities, the government has taken action in other ways—some based on the direction and tone of the EO and some in response to events—to assist private sector cybersecurity. It is clear the government has also been following through on the promise of the EO to improve federal cybersecurity. But with constantly evolving threats from bad actors all over the world, the U.S. must keep this effort up in order to continue to be able to respond to new and unforeseen challenges and threats in cyberspace to the public and private sectors. 

Robert DuPree is manager of government affairs at Telos Corporation, a position he has held since 2008. He is responsible for monitoring, analyzing and reporting on legislative and political developments in the U.S. Congress and the executive branch. He serves as a liaison for Telos Corporation with public officials at the congressional and state levels. Prior to joining Telos, Robert worked in Washington, D.C., for over two decades, serving as legislative director for a senior member of the U.S. House of Representatives and then as a government relations professional and senior executive with a national manufacturing trade association.

NEXT STORY: One Year Later: A Hacker’s View on the Cybersecurity Executive Order

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.