The Biden administration’s new executive order on cybersecurity contains 8,080 words and, by my count, includes 43 deadlines and some 70 action items. Within hours, every trade group, cyber company, and camp follower was predictably out with reaction — applause, praise and appreciation.
They used words like “bold, sweeping, solid.” It certainly is sweeping, but to me it lards on complexity and detailed prescription where simplicity and clear expression of principles were needed.
I can picture vendors and agency functionaries alike scratching their heads, trying to visualize all of the overlapping interagency structures, reports, action items and deadlines on a room-length white board or big spreadsheet.
Clearly the order was a long, long time in preparation by uber-diligent staff. My impression is that the White House chose last night to release it because a big, fat cyber incident hitting critical infrastructure had the hand-forcing effect of gasoline fill-up lines, of all things. Gas lines have particularly potent cultural meaning. They recall the aftermath of the 1973 Arab Oil Embargo, in which the whims of foreign potentates proved they literally mess with the American way of life.
Now, an Eastern European extortion ring, matter-of-fact about its financial motivations, showed it could pinch gasoline supplies. Maybe it pays a percentage to the Putin machine to operate with seeming impunity?
But, as a White House official noted in a briefing accompanying release of the EO, “cybersecurity incidents like SolarWinds, Microsoft Exchange, and now the Colonial Pipeline incident are a sobering reminder that both U.S. public- and private-sector entities are very vulnerable to constant, sophisticated, and malicious attack — from nation-state adversaries to run-of-the-mill criminals.”
Fundamentally the White House is correct in updating the government’s cybersecurity policies and procedures. The cyber threat environment always changes. The government is often a step behind where it needs to be.
Therefore the order calls for some concrete steps, such as giving agencies 180 days to institute two-factor authentication for access to data, and the encryption of data at rest and in transit. It conjures up new, mandatory contract language for the acquisition of cybersecurity software and services. It pushes updated security practices for use of commercial clouds. It devotes a lot of language to policy for the software supply chain and on dealing with national security systems. It hugs zero trust architectures.
The EO even seeks to take on internet-of-things cyber threats and the cyber standards for consumer electronics.
Biden’s order sweeps in the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency, of course. Also the FBI, National Institute of Standards and Technology, Defense Department, attorney general, Federal Acquisition Regulatory Council, Director of National Intelligence, National Security Agency, General Services Administration, and the White House itself. It orders into existence a Cyber Safety Review Board, a requirement of the 2002 Homeland Security Act.
But, my gosh, it reads like a chemistry text or, worse, one of those legislative bills that tries to fix a thousand things. In section 4, enhancing software supply chain security, the list of actions runs literally from (a) to (x), falling just two items short of (z). Those sections encompass 16 deadlines.
I lost count of the data sharing and reporting regimes the EO imposes.
Nothing in the EO is frivolous or trivial. It does build on existing structures such as FedRAMP and the continuous diagnostics and mitigation program, even as it creates new alliances, boards, and coordinations. Moreover, many of the data sharing arrangements already exist, at least in theory. Encryption, zero trust, multifactor authentication — many agencies already do this.
The problem is that while, yes, the cyber effort can always use a boost from the Oval Office, this EO gives off the the sense of, “Let’s do everything! Let’s do it all at once! You’ve got 30 days for this, 45 days for that, take 180 days for the other!”
In scurrying to carry out this EO, agency leadership should also tell the contractors and agency staff actually working the cybersecurity beat, “You keep your eyes on the ball while I deal with all of … this.”