On May 12, 2021, President Joseph Biden signed the “Executive Order on Improving the Nation’s Cybersecurity.” I believe the order is well intentioned and was developed by industry experts – many of whom I’ve personally known for years. But the order is just too long and includes far too many unattainable goals. Sadly, I believe the order will come and go – and we will continue to see an uninterrupted series of cyber attacks on our nation’s infrastructure. Below are my top five concerns about the order:
Concern 1: Threat Sharing
For the past several decades, since Richard Clarke introduced the idea to our community, there has been a misconception that sharing of threat information will ease cyber risk. I see no evidence that this is true. The order starts with a narrative about removing barriers to threat sharing that could have been written in 1995. It will make no more difference now than it did when we tried this route then. (Read PDD63 from 1998 and compare to the present order.)
Concern 2: Reporting Cyber Incidents
For the past several decades, government has been promoting the idea that reporting of cyber incidents will improve our nation’s ability to prevent attacks in the future. I see no evidence that this is true. The order goes into much detail about driving this forward and I think the process is irrelevant. Rather than shame organizations into fixing problems to avoid reporting, it instead drives reporting-fatigue as more and more incidents are detailed.
Concern 3: Sixty Day Plans for Agencies to Zero Trust
While I applaud the boldness of demanding that agencies provide sixty-day plans to zero trust, I suspect that this will be an unattainable goal for most. Does the administration expect this to include removal of agency perimeters? Is this part of the DHS roadmap for protecting agency traffic? How will DHS Einstein protections support agencies moving to public SaaS and cloud-based services? I just don’t see how agencies will be able to deliver on this request.
Concern 4: Supply Chain Security
While I also applaud the correctness of targeting supply chain security, the order will politicize processes such as Software Bill of Materials (SBOM) which can be implemented by just including boilerplate in software contracts. It also includes technically unattainable goals such as attesting to the integrity and provenance of open-source software. I’m just not sure how any group can possibly do that.
Concern 5: Detection, Response, and Review
While detection, response, and review are certainly important capabilities, the order basically demands that everyone do these things better. While one wonders why prevention was not also explicitly called out, the likely response to these demands will be a flood of new purchases of cyber security products. In fact, EDR is called out explicitly as a requirement, which is a massive gift to those vendors.
In the end – this Executive Order includes too much – and demands things our community has been demanding for decades with little success. I would have rather seen a one-sentence executive order demanding that every company in the Fortune 500 sponsor ten students for a free computer science BS degree in return for five years in the government. The result would be 5000 youngsters joining government each year, and that would have real impact.
