When it was signed a year ago today, Executive Order 14028, Improving the Nation's Cybersecurity, was a measured response to an urgent problem. Just days prior, the Colonial Pipeline was shut down by a ransomware attack, thrusting the issue of cyber-risk to critical US infrastructure into the spotlight. One year later, what progress has been made? Here's a scorecard to help you keep track.
Section 1: Policy
Last October, the president signed the K-12 Cybersecurity Act into law, providing resources for school districts to combat cyberattacks. In March, he signed the Strengthening American Cybersecurity Act of 2022. Still, huge swaths of US critical infrastructure are in private hands, and questions remain about how to improve private sector cybersecurity and resilience.
What would earn an "A"? To really put a dent in cyberattacks against the US, the federal government, new laws, and regulations need to set a high bar and impose high costs on firms for failing to clear that bar.
Section 2: Removing Barriers to Sharing Threat Information
Under the direction of Director Jen Easterly, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted many successful efforts to promote sharing of threat intelligence. These include coordinated responses to threats, like the Shields Up initiative, in response to Log4j. The Strengthening American Cybersecurity Act also contains substantive new requirements for federal agencies for information sharing.
What would earn an "A"? Information sharing within critical industry sectors is still a patchwork effort and often limited to the largest and wealthiest organizations. CISA needs to improve threat intelligence sharing in sectors where it's not the norm and draw in smaller organizations that are often left out of the loop due to operational immaturities.
Section 3: Modernizing Federal Government Cybersecurity
Section 3 of the Executive Order lays out requirements for the federal government to address cyber-risk by promoting movement to cloud-based services and adoption of zero-trust architectures. A year after the EO was signed, we see some progress on that. CISA published a Cloud Security Technical Reference and guidance for building zero-trust architectures. Government and defense organizations are adopting cloud-native security solutions and building cloud-first approaches.
What would earn an "A"? Incremental approaches to modernization aren't enough. An April 2021 report by Government Accountability Office found that the US government spends substantial portions of its $100 billion IT budget to operate and maintain legacy systems. Breaking that cycle and grasping the holy grail of zero trust requires a "whole of government" approach.
Section 4: Enhanced Software Supply Chain
Not much has been done here. As we noted in February, NIST published Version 1.1 of the Secure Software Development Framework (SSDF) but punted on guidance for software bills of materials (SBOMs). Also, the guidance exempted software development organizations working within the federal government.
What would earn an "A"? Development organizations within the federal government should be bound by the same rules and standards as third parties who sell to Uncle Sam. Guidance on the use of SBOMs also needs to be clarified and enforced.
Section 5: Establishing the Cyber Safety Review Board
This is one of the more concrete elements of the EO and, so far, the federal government has complied with the EO's requirement. The Department of Homeland Security launched the Cyber Safety Review Board in February 2022. As part of the launch, CSRB said its first review will focus on the Log4j vulnerabilities, but a report on that is not due out until the summer.
Section 6: Standardize Federal Playbooks for Incident Response (IR) and Vulnerability Management
This is another concrete deliverable in the Executive Order. CISA published the playbooks in November 2021. The question is whether they are being put to use, and that is hard to know without a mechanism that can anonymize and share an aggregate MRT (mean time to response) per industry.
What would earn an "A"? With playbooks in hand, the question is how to operationalize them across the federal government (and its contractors and partners). Keeping close tabs on agencies' use of the playbooks and progress on IR and vulnerability management is a good start.
Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Section 7 of the EO exhorts federal agencies to improve their vulnerability and threat detection capabilities. The goal is to empower federal agencies to engage in cyber hunt, detection, and response. News of successful attacks on federal IT infrastructure suggest that there is still much work to be done, however.
What would earn an "A"? The private sector has embraced automation and new tooling. At the federal level, there is scant evidence that such efforts are underway. The federal government should mount an effort to deploy more tools like Sigma, Suricata, and YARA rules to improve IR.
Section 8: Improve Federal Government Investigative & Remediation Capabilities
This part of the EO directs federal agencies to improve logging and data retention to facilitate investigations, but the government's investigative and remediation capabilities are little improved from a year ago, with no modern frameworks deployed (to the best of my knowledge).
What would earn an "A"? The federal government needs to leverage automation and modern threat intelligence and IR frameworks, taking a "whole of government" approach to threat hunting.
Section 9: National Security Systems
This section requires the secretary of defense and the director of national intelligence (DNI) to implement requirements for national security systems that are equivalent to or exceed the requirements in the EO. Much of this work is classified, but I see a strategic shift to adopt CTO leadership philosophies and build agile approaches to decentralizing risks.
What would earn an "A"? With Avril Haines recently sworn in as the DNI, we expect there to be progress for improved execution, although the breadth and focus of the Ukraine-Russia conflict might take precedence before real results are evident.