One year ago today, the White House released an Executive Order on Improving the Nation’s Cybersecurity. Here's where things stand.
The first Friday of May, 2021 was a dark day for Americans as we learned that the DarkSide ransomware gang attacked Colonial Pipeline, an essential, privately-owned pipeline that supplies fuel to the majority of the East Coast. The incident turned what had been a growing fear into a reality: cyberattacks on America’s critical infrastructure that caused supply-chain disruptions (panic-buying drained gas supplies in the Southern U.S.) and stoked national security concerns.
Released just six days after the Colonial attack, the Biden Administration’s Executive Order (EO) 14028 - Improving the Nation’s Cybersecurity proposed a reset: cybersecurity would now be considered a top priority for the federal government, rather than an afterthought. Now, we are here a year later, so how did it turn out? Here's a closer look at the EO — its history, components, and what progress has (and hasn’t) been made by the federal government since its release.
[ Download the white paper: How and Why NIST is Driving SBOM Evolution ]
A short history of the Cybersecurity Executive Order
Even though cybersecurity has been an area of concern for the federal government for more than three decades, initiatives designed to defend government IT environments have consistently fallen short. As far back as the Clinton Administration, cybersecurity efforts such as the enactment of the Federal Computer Incident Response Capability Initiative (FedCIRC) sought to improve the federal government’s cybersecurity posture. Later on, the George W. Bush Administration saw the creation of a National Strategy to Secure Cyberspace, under the auspices of the newly created Department of Homeland Security.
However, it wasn’t until the Obama Administration that we saw the Executive branch of the federal government take a more far-reaching and collaborative approach to cybersecurity. That administration’s Comprehensive National Cybersecurity Initiative expanded upon what the Bush Administration had started, with a focus on fostering collaboration between the public and private sectors. The Federal Information Security Modernization Act of 2014 (FISMA) was also a significant step forward and prompted federal agencies to develop, document, and implement agency-wide information security programs.
By the time the Trump Administration took office in 2017, however, it was clear that the efforts of previous administrations were falling short. Hacks like the one perpetrated on the Office of Personnel Management underscored weaknesses in federal IT security efforts. Cyber incidents, predominantly ransomware attacks, were also ramping up against federal, state and local governments, as well as private sector firms. In 2019, the Federal Bureau of Investigation saw a record number of economic losses and complaints as a result of internet crime (PDF).
Cybersecurity EO to the rescue!
The Biden Administration’s EO 14028 builds on the work of those earlier efforts - and also attempts to answer for their shortcomings. The White House says the EO is meant to pave the way towards modernizing the federal government’s cybersecurity defenses, by protecting federal networks, improving cyber-related information sharing between the public and private sectors, as well as strengthening the U.S. government’s ability to respond to cyber incidents.
To aid these goals, Executive Order 14028 charged multiple federal agencies with enhancing cybersecurity through several initiatives, all related to the security and integrity of the software supply chain. The order consists of nine sections and covers several facets of cybersecurity, such as incident response, supply chain security, a zero-trust model, threat analysis and hunting, as well as public-private partnership. It went as far as creating a strategic plan for every department, and the agencies within each, so that the federal government as a whole can follow a common set of rules to ensure best practices across the board.
However, what the EO lacks are mandatory regulations for private entities. Instead, it offers guidance for these non-governmental organizations to follow in an effort to further their cybersecurity hygiene.
Where are we now?
In reviewing the past 12 months since the EO, it’s clear that the federal government’s priorities have shifted—several times. Despite the COVID-19 Pandemic and the war in Ukraine, cybersecurity has not been sidelined.
For example, Congress passed the Biden Administration’s Infrastructure Investment and Jobs Act this year, influenced by the Build Back Better plan, which sets aside $1.9 Billion for cybersecurity initiatives. Also this year, President Biden signed the K-12 Cybersecurity Act, which tasks the Cybersecurity and Infrastructure Security Agency (CISA) with reviewing cyber threats against America’s educational institutions.
Lastly, the State Department recently established the Bureau of Cyberspace and Digital Policy, as a part of Secretary of State Blinken’s modernization agenda for the department. Facing a wave of cyber attacks and ransomware-related disruptions, state governments have also been making cybersecurity a top priority: in 2021 alone, 35 states enacted cybersecurity legislation. Nationally, cybersecurity has become a top policy concern in 2022.
Requirements outlined in the EO have also driven action on the ground. Among them:
- The Department of Homeland Security launched the Cyber Safety Review Board, the first of its kind, as outlined in section 5 of the EO.
- CISA, headed by Director Jen Easterly, has been hard at work with its Shields Up campaign, meant to decrease the barriers to relevant information sharing within the cybersecurity community, addressed in section 2 of the EO.
- The National Institute for Standards and Technology (NIST) released their Secure Software Development Framework, as called for in Section 4 of the EO. It lists a series of guidelines that producers of commercial off-the-shelf and government-off-the-shelf software have if they are licensing their products and services to federal agencies.
- NIST also revised their Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations this month, further fulfilling their EO responsibilities.
- In response to a requirement in the EO, CISA developed and published a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems. The agency published the playbooks in November of last year.
Despite this, several of the actions listed in the EO are still lagging behind a year later. They include:
- Enhancing software supply chain security, where government efforts have been limited to the issuance of frameworks and guidance, like the NIST Special Publication 800-218 and 800-161r1, but little more.
- Sections 7 and 8 of the Executive Order call on the federal government to improve its threat detection, cyber investigation and remediation efforts - for example by deploying Endpoint Detection and Response (EDR) technologies. It is hard to see evidence that this year has brought much improvement in the federal government’s capabilities in these key areas, while recent incidents like the hack of SolarWinds—which impacted a number of government agencies—suggest that sophisticated adversaries are pursuing new channels and methods for penetrating government systems and networks.
Looking ahead at the state of national cybersecurity
It’s not entirely certain how progress with the EO’s initiatives will move forward in the coming months. Threat detection, threat hunting and incident response will continue to be significant challenges for the government, especially given the vast amount of legacy systems it continues to support. An April, 2021 report by GAO, for example, found that the U.S. government spends substantial portions of its $100 billion annual IT budget to operate and maintain legacy systems, some being 40 or 50 years old. Changing course and embracing “zero trust” architectures is a laudable goal, but this will be difficult to achieve in the short term.
In areas like software supply chain security, the publication of new frameworks and guidelines in the last year puts the onus on government and third-party software publishers to improve their secure development practices (a much bigger challenge). Increasing the adoption of Software Bills of Materials (SBOMs) both within the federal government and at companies that supply software and services to the government would be a step in the right direction. It also means going above and beyond malware analysis to include the detection of software tampering into an organization’s security practices. Taking these kinds of actions, alongside the federal government’s progress in this policy area, will better protect American institutions from ongoing cyber threats.
- White paper: How and Why NIST is Driving SBOM Evolution
- A CISO’s guide to protecting against modern software threats
- How to detect software supply chain attacks
- Why you need to prioritize development and software supply chain security
- How existing cybersecurity frameworks can curb software supply chain attacks
- It only takes one line of code to ruin your day