The Executive Order on Improving the Nation’s Cybersecurity announced by the Biden administration on May 12 marks the strongest and most visible stance the Federal government has taken to improve national cybersecurity and better protect our software supply chains, economy and critical infrastructure from cyber-attacks. Following the recent supply-chain attacks of SolarWinds and Microsoft Exchange, as well as the ransomware attack on the IT networks of Colonial Pipeline (which transports 45% of the fuel consumed on the East Coast of the United States) the timing of the recently rumored order is neither coincidental nor surprising.
It is however a very welcome advancement, as we have known for a long time now that “incremental improvements will not give us the security we need” – to quote the Executive Order. While the order itself will not solve all our nation’s cybersecurity problems, or even prevent the next major cyber-attack, it is the correct first step for mobilizing the government’s resources and organizing its expectations for partnering with the private sector. This order sets a clear path for how the Federal government will support business and infrastructure, and while no single policy, initiative or Executive Order will be a “silver bullet” for protecting the cybersecurity of the United States, this provides a framework within which everyone can operate.
The Federal government is one of the nation’s largest buyers of goods and services, including software. With the requirement that all software and systems (including operation technology) purchased by the government must meet new security standards, the “power of the purse” will be felt far and wide throughout the cybersecurity industry. There are efforts the security community has been working on advancing for years, like coordinated vulnerability disclosure (CVD) and a Software Bill of Materials (SBOM), that gain some much-needed support from this order.
The new threshold of security standards will make it harder for adversaries to tamper with the software code used on Federal networks and will ultimately lower the instances of vulnerabilities that are shipped within software used by everyone. The order’s focus on zero-trust, multifactor authentication, cloud-based technologies, strong encryption, and endpoint detection and response (EDR) will help modernize and strengthen cybersecurity standards within the Federal government. For the private sector, the order lays a foundation comprised of best practices and standards for maintaining security hygiene and the defense of critical data and assets.
While we optimistically wait for the most important part of the Executive Order – the implementation of these policies – we, along with the rest of the cybersecurity community, are delighted with the Biden administration’s prioritization of this important topic in the face of the ever-evolving threat landscape. It is our hope that this moment will be looked upon in history as the point the cybersecurity landscape was forever changed.
Click here to read the Fact Sheet for the Executive Order on Improving the Nation’s Cybersecurity