Notable experts say the cybersecurity executive order has improved the nation's security posture, but more work is to be done.

A year ago today, U.S. President Joe Biden released the ambitious Executive Order on Improving the Nationβs Cybersecurity following a series of devastating and destructive cyberattacks. The executive order (EO) triggered an avalanche of rulemakings across the federal government to meet dozens of now mainly achieved deadlines to implement the orderβs objectives.
The Biden administration premised the EO on elevating the governmentβs protection and response capabilities across a wide range of digital technology systems and services, from moving the federal government to cloud services and zero-trust architectures to improving software supply chain security. The idea was to strengthen government infrastructure cybersecurity while also raising the cybersecurity bar for government vendors, including tech giants, who must likewise meet the EOβs objectives.
Now at the one-year mark, itβs worth looking at how well the order stands up, how effective it has been, and whether it has missed any relevant cybersecurity concerns despite its wide-ranging nature.
Cybersecurity executive order is βjust what we neededβ
Most cybersecurity and policy experts agree that the EO has fostered much-needed and long-overdue changes. Michael Daniel, president and CEO of the Cyber Threat Alliance and cybersecurity coordinator under President Obama, tells CSO, βWhether youβre talking about software bills of material, or youβre talking about the push for multi-factor authentication across the federal enterprise, the cybersecurity executive order provided the foundation for the ongoing activity and is the lodestar for the administrationβs priorities.β
Daniel says that a year is not a sufficient time frame to adequately assess the order, which contemplates actions that have yet to take place. βWhat the EO set in motion will take another couple of years to play out, particularly when youβre talking about changes to things like the federal acquisition rules. That takes a long time. So many of these things are still in motion and will continue to play out over the next couple of years.β
βIβm pleased with the degree to which this executive order has driven and continues to drive activity. Not all executive orders do that,β Bob Kolasky, senior vice president for critical infrastructure at Exiger and former assistant director of the Cybersecurity and Infrastructure Security Agency (CISA), tells CSO. βThis was the president in his role as CEO of the largest enterprise in the country, the U.S. government, saying, βI want my CISO team, my risk team, to take cybersecurity more seriously.β It has had an impact on the broader cybersecurity across the U.S., including state and local governments and critical infrastructure.β
βBut it was, first and foremost, βLetβs get our own house in order. Letβs modernize our own house as much as possible.β I think thereβs early evidence that it has accomplished that,β says Kolasky.
βI think the order was pretty comprehensive and detailed and just what we needed, even if it was overdue,β Chris Wysopal, co-founder and CTO of Veracode, tells CSO. βItβs been such a long time since the federal government has really done anything about the security of software. So, I think it was a huge step in the right direction.β
A natural response to SolarWinds, other security events
The EO followed a series of high-profile and scary cybersecurity incidents, including the SolarWinds supply chain attack by Russian threat actors, the infiltration of Microsoft Exchange servers by Chinese espionage operators, and a ransomware attack on Colonial Pipeline. The U.S. has not experienced a comparable string of damaging cybersecurity incidents since the EO was released but itβs inaccurate to say that a relative calming of destructive activity is a consequence of the order.
If there has been a diminution of seriously disruptive events since last May, itβs just βthe natural response to the crescendo of events that youβre talking about was an increased focus on cybersecurity both inside and outside of government,β Daniel says. Moreover, he adds, βThese things always seem to go in cycles.β
Kolasky agrees, particularly when it comes to ransomware incidents. βI think there are other steps that the administration and critical infrastructure have taken and ways that weβve shaped whatβs going on in terms of ransomware that have been more impactful than the executive order,β he says
Wyospal rejects the premise that malicious actions have simmered down. βI donβt know if I would say things have calmed down,β he says. βI think weβve readjusted the baseline of what we think is normal. There are serious ransomware events all the time.β
But Wyospal does think that the EO has forced some tech suppliers to take cybersecurity more seriously. βThe mere existence of the executive order gets organizations, especially the suppliers that are building software, to think more about βI have to secure the software Iβm delivering,β or βI have to secure my development and pipeline from malicious intruders,'β he says.
Whatβs missing from the cybersecurity EO?
Did the EO miss any critical cybersecurity elements despite its all-encompassing nature? Not really, Daniel says. βAs hard as it is to get the policies written and agreed to itβs even harder to go and make them work and make them work in practice. I wouldnβt want the White House pushing out a whole slew of new executive orders because I think that would dilute the effort that is still needed on what theyβve already laid out.β
Other adjacent initiatives should be high priority right now, such as βimplementing the incident reporting legislation that Congress passed,β Daniel says. βThat means developing a regulation actually to implement it. Thatβs a big piece that CISA now has to do in addition to all these activities in the executive order.β
Kolasky suggests that the executive order as written is already a full plate. βYou do want to have a manageable agenda of things,β he says. βFocusing on zero trust, contract improvement, and software supply chain security all strike me as good starting points for what federal networks should be doing.β
Wysopal says, βI think the thing thatβs missing, but theyβve alluded to [in the EO], is expanding it to cover more software. The initial requirements around what they deem critical software involve things like hypervisors and operating systems and network security devices, and things that have to operate at increased privileges.β
βThat is all well and good. Thatβs where you would want to start, with the highest risk stuff, but weβve seen plenty of breaches that have come in through run-of-the-mill websites,β Wysopal says. βSo thatβs where I think it needs to go in the future, realizing that most software is putting the government at risk. Itβs not just critical software.β