Policy and patience key in Biden’s cybersecurity battle
Last month, President Biden hosted a group of technology and insurance executives to build support for a “whole-of-nation effort” to improve cybersecurity. The executive summit was one of a series of steps the Biden administration has taken to try to stem the tide of criminal activity targeting the nation’s public and private computer networks.
Ransomware attacks increased by 288% between January-March 2021 and April-June 2021. The Biden administration, in addition to using its convening power to cajole big tech to invest more in cybersecurity, also issued an Executive Order in May that sought to leverage the Federal government’s purchasing power to drive greater software security.
Now that 100 days have passed, it’s relevant to assess the practical impact of the EO and subsequent actions taken by the Biden administration on the nation’s cybersecurity. The reality is that results so far are mixed, but it is an important step forward for the public and private sectors alike in an environment when threats, especially ransomware, will likely continue unabated.
The administration moved with impressive speed out of the gate to craft the order, including within it a litany of ambitious deadlines to compel federal agency actions. It has been received positively by many in the industry as a promising beginning; however, most of the policy initiatives it launched will take months — years in some cases — to produce results. Even that timing is ambitious: Given many of the actions are internal to federal agencies, such as implementing multi-factor authentication for password protected systems, it’s too early to know whether those agencies will be able to meet the aggressive timetable.
The most visible implementation action so far has been the guidance on security measures for federal agency use of critical software developed by NIST. While not groundbreaking in substance — the guidance amounts to an index of best practices citing previous federal advisories — the list will help federal agency CIOs ensure they have addressed key software supply chain risks. The speed of the NIST response also establishes an important precedent for the other deadlines in the EO and suggests the administration intends to follow through on its execution.
Overall, it’s too early to say whether the EO will have a material impact on the cybersecurity of the federal government. Many of the actions directed by the order are intended to drive adoption of security industry best practices. The need for a presidential decree to get federal agencies to adopt basic security best practices is troubling; however, the Biden administration likely saw these foundational elements as low-hanging fruit that it could act on quickly. It also serves as an important signal to federal CIOs about the priority of cybersecurity initiatives, and CIOs in any organization appreciate clarity from their leadership on the strategic priorities of the enterprise.
Subsequent actions taken by the administration have been more aggressive, suggesting cybersecurity will remain a policy priority for the President. The Department of Homeland Security’s Transportation Security Administration directed critical pipeline operators to implement new cybersecurity protections in response to the Colonial Pipeline ransomware incident. Additionally, the President’s call for Russia to cease its tacit support for ransomware criminal organizations during the June summit meeting between Biden and Putin, indicates the administration’s strategy includes policy actions to stem the activity, not just improve defenses.
So, what impact will the Biden administration’s cybersecurity policies have on private sector organizations?
In the near term, we can expect little change. There is no indication the Russian government intends to curtail ransomware criminal activity against the US, so we should expect the ransomware attacks against US companies to continue unabated. Further, the effects of the Executive Order and subsequent policy initiatives to improve American defenses will be limited to federal agencies and large software companies with federal contracts.
In the longer term, however, the administration will likely seek to expand mandatory cybersecurity protections for critical industries through existing regulatory authorities, and possibly new legislative authorities. Private sector executives should expect new federal reporting rules and possibly new compliance mandates if the trend of material cybersecurity incidents continues as expected.