A year later, Biden’s cybersecurity executive order driving positive change

A year ago today, U.S. President Joe Biden released the ambitious Executive Order on Improving the Nation’s Cybersecurity following a series of devastating and destructive cyberattacks. The executive order (EO) triggered an avalanche of rulemakings across the federal government to meet dozens of now mainly achieved deadlines to implement the order’s objectives.

The Biden administration premised the EO on elevating the government’s protection and response capabilities across a wide range of digital technology systems and services, from moving the federal government to cloud services and zero-trust architectures to improving software supply chain security. The idea was to strengthen government infrastructure cybersecurity while also raising the cybersecurity bar for government vendors, including tech giants, who must likewise meet the EO’s objectives.

Now at the one-year mark, it’s worth looking at how well the order stands up, how effective it has been, and whether it has missed any relevant cybersecurity concerns despite its wide-ranging nature.

Cybersecurity executive order is “just what we needed”

Most cybersecurity and policy experts agree that the EO has fostered much-needed and long-overdue changes. Michael Daniel, president and CEO of the Cyber Threat Alliance and cybersecurity coordinator under President Obama, tells CSO, “Whether you’re talking about software bills of material, or you’re talking about the push for multi-factor authentication across the federal enterprise, the cybersecurity executive order provided the foundation for the ongoing activity and is the lodestar for the administration’s priorities.”

Daniel says that a year is not a sufficient time frame to adequately assess the order, which contemplates actions that have yet to take place. “What the EO set in motion will take another couple of years to play out, particularly when you’re talking about changes to things like the federal acquisition rules. That takes a long time. So many of these things are still in motion and will continue to play out over the next couple of years.”

“I’m pleased with the degree to which this executive order has driven and continues to drive activity. Not all executive orders do that,” Bob Kolasky, senior vice president for critical infrastructure at Exiger and former assistant director of the Cybersecurity and Infrastructure Security Agency (CISA), tells CSO. “This was the president in his role as CEO of the largest enterprise in the country, the U.S. government, saying, ‘I want my CISO team, my risk team, to take cybersecurity more seriously.’ It has had an impact on the broader cybersecurity across the U.S., including state and local governments and critical infrastructure.”

“But it was, first and foremost, ‘Let’s get our own house in order. Let’s modernize our own house as much as possible.’ I think there’s early evidence that it has accomplished that,” says Kolasky.

“I think the order was pretty comprehensive and detailed and just what we needed, even if it was overdue,” Chris Wysopal, co-founder and CTO of Veracode, tells CSO. “It’s been such a long time since the federal government has really done anything about the security of software. So, I think it was a huge step in the right direction.”

A natural response to SolarWinds, other security events

The EO followed a series of high-profile and scary cybersecurity incidents, including the SolarWinds supply chain attack by Russian threat actors, the infiltration of Microsoft Exchange servers by Chinese espionage operators, and a ransomware attack on Colonial Pipeline. The U.S. has not experienced a comparable string of damaging cybersecurity incidents since the EO was released but it’s inaccurate to say that a relative calming of destructive activity is a consequence of the order.

If there has been a diminution of seriously disruptive events since last May, it’s just “the natural response to the crescendo of events that you’re talking about was an increased focus on cybersecurity both inside and outside of government,” Daniel says. Moreover, he adds, “These things always seem to go in cycles.”

Kolasky agrees, particularly when it comes to ransomware incidents. “I think there are other steps that the administration and critical infrastructure have taken and ways that we’ve shaped what’s going on in terms of ransomware that have been more impactful than the executive order,” he says

Wyospal rejects the premise that malicious actions have simmered down. “I don’t know if I would say things have calmed down,” he says. “I think we’ve readjusted the baseline of what we think is normal. There are serious ransomware events all the time.”

But Wyospal does think that the EO has forced some tech suppliers to take cybersecurity more seriously. “The mere existence of the executive order gets organizations, especially the suppliers that are building software, to think more about ‘I have to secure the software I’m delivering,’ or ‘I have to secure my development and pipeline from malicious intruders,'” he says.

What’s missing from the cybersecurity EO?

Did the EO miss any critical cybersecurity elements despite its all-encompassing nature? Not really, Daniel says. “As hard as it is to get the policies written and agreed to it’s even harder to go and make them work and make them work in practice. I wouldn’t want the White House pushing out a whole slew of new executive orders because I think that would dilute the effort that is still needed on what they’ve already laid out.”

Other adjacent initiatives should be high priority right now, such as “implementing the incident reporting legislation that Congress passed,” Daniel says. “That means developing a regulation actually to implement it. That’s a big piece that CISA now has to do in addition to all these activities in the executive order.”

Kolasky suggests that the executive order as written is already a full plate. “You do want to have a manageable agenda of things,” he says. “Focusing on zero trust, contract improvement, and software supply chain security all strike me as good starting points for what federal networks should be doing.”

Wysopal says, “I think the thing that’s missing, but they’ve alluded to [in the EO], is expanding it to cover more software. The initial requirements around what they deem critical software involve things like hypervisors and operating systems and network security devices, and things that have to operate at increased privileges.”

“That is all well and good. That’s where you would want to start, with the highest risk stuff, but we’ve seen plenty of breaches that have come in through run-of-the-mill websites,” Wysopal says. “So that’s where I think it needs to go in the future, realizing that most software is putting the government at risk. It’s not just critical software.”