After grappling with multiple devastating cyberattacks, experts are applauding the progress made by the White House in the year since President Biden signed an executive order aimed to strengthen federal cybersecurity.
They are particularly impressed with the improvements to make it easier for the government and the private sector to share threat information.
“I’ve seen much more directive, actionable steps coming out now and I think the executive order is a big reason for that,” said Chris Wysopal, chief technology officer at Veracode.
The May 2021 order sought to help secure federal government networks and critical infrastructure against cyber strikes. It introduced several key initiatives, including facilitating threat information sharing between the government and the private sector, modernizing federal cybersecurity standards and improving software supply chain security, among others.
Wysopal added that the Cybersecurity and Infrastructure Security Agency (CISA) has been frequently sharing threat intelligence and issuing guidance on the best cybersecurity practices to adopt, including implementing multi-factor authentication and using encryption.
“CISA has really improved immensely in that area,” he said.
Kelly Rozumalski, a senior vice president at technology consulting firm Booz Allen Hamilton with similar views, said the order paved the way for better coordination between sectors.
“I think the public-private partnership portion of the executive order has really been key,” Rozumalski said.
CISA has played a key role in pushing some of the order’s initiatives forward, including publishing a standardized playbook on cybersecurity vulnerabilities and incident response. The playbook ensures that all federal agencies meet certain standards and are prepared to mitigate and respond to cyber incidents.
The agency also launched the Joint Cyber Defense Collaborative (JCDC) last year in an effort to encourage more and better collaboration between public and private sectors.
Since then, CISA has partnered with numerous companies in the private sector to push forward that effort, which includes implementing nationwide cyber defense strategies, sharing information and other steps to mitigate the risks of cyberattacks.
“The cyber executive order really set the foundations for how to evolve national and federal cyber defense,” Rozumalski said.
Calling the order long overdue, Wysopal said its directives are practical and comprehensive, adding that the mandate covered more ground than he was expecting.
Prior to the order, there was a lot of talk but no action in Congress about concrete ways to improve federal cybersecurity, Wysospal said.
“[The order] sort of changed the status quo from best practices to practicality,” he said, adding that it “helped push things forward which were kind of stuck for years.”
He added that the federal mandate had ripple effects in the private sector that pushed companies to take cybersecurity more seriously.
The executive order was introduced amid major cyber incidents in the past few years, including SolarWinds and Colonial Pipeline, that disrupted critical sectors.
Last May, the Colonial Pipeline was hit by a destructive ransomware attack, forcing it to shut down operations for nearly a week.
The year before, SolarWinds, a Texas-based software firm, was breached when Russian state-sponsored hackers exploited vulnerabilities in its updates to penetrate the networks of nine federal agencies and at least 100 private sector organizations.
The SolarWinds hack specifically prompted a directive in the order that would require baseline security standards for software sold to the government.
“Putting those requirements on suppliers has really forced suppliers to take software security seriously,” Wysopal said, adding that many companies in the private sector now also require that suppliers sell them upgraded and secure software.
Rozumlaski added that while it’s helpful to develop standards and guidelines for supply chain security, it’s also important to focus on risk management to identify, analyze and address potential cyber threats. For instance, she said, companies should include cyber threat modeling, testing and software emulation in their risk management plan.
“We need better risk management,” she said, adding that “we really need to understand the threats that impact the supply chain and not just focus on the standards on this checklist.”
Cyber officials testifying before Congress this came to similar conclusions as the outside experts who spoke to The Hill, telling lawmakers they’ve made “significant progress” in improving and securing federal networks from cyber threats.
Although some federal agencies are not yet at the level they want, they have implemented security measures, including multi-factor authentication and encryption, that have the most impact on securing federal networks.
“We’ve got a lot of work ahead, but I really feel very good about the progress we’re making and the path we put ourselves on,” Christopher DeRusha, the deputy national cyber director in the executive office of the president, told the House Homeland Security subcommittee on cybersecurity on Tuesday.
The lawmakers asked the officials whether the Biden administration has taken steps to secure the networks of federal agencies in response to the recent Russian cyber threats.
DeRusha said his office has met with federal chief information officers since November to discuss the threat levels and how to prepare for them.
