The President’s Cybersecurity Executive Order Is Good News, but a missed opportunity

The federal government can learn a lot from the private sector. The President’s Cybersecurity Executive Order provides opportunities for just that. President Joseph R. Biden issued an Executive Order on Improving Cybersecurity Nationwide on May 12. It outlines many requirements for federal agencies, as well as organizations that do business with the federal government. CompTIA released a statement supporting this Executive Order on May 13th. Although there are many positive aspects to this Executive Order, there are also some concerns.
It is important to remember that there was an opportunity to call upon private industry to comply with many, if any, of the requirements placed on federal agencies. It is clear that neither government nor private industry can successfully combat the cybersecurity threats they face. Only by improving the way government and private industry work together, we can gain momentum from the bad actors to further secure our connected network.
We need to share information early and often
I am most pleased with the call for increased and improved information sharing between agencies. Cyber threat intelligence must be shared to enable organizations to deploy, configure, and monitor their environments for signs or attack. The public-private partnership is more important than ever. I hope that the demand for better information sharing within the federal government will naturally spillover to improve existing public-private partnership, mainly managed by the Cybersecurity and Infra Security Agency (CISA).
Some of the mandatory reporting requirements can be problematic, mainly on service providers to federal government. I support the requirement because it encourages, or in this instance requires, notification of cybersecurity events that could indicate successful attacks. Public and private organizations keep information about known or possible attacks close to their chests. This is because they fear that an organization will be “cybershamed” if it self-reports without a full post-mortem. It is more important than ever to let the organization know if there is any concern. Even if it is not confirmed. If we want to move from reactive defense to effective offense, we must share as much information as we can as soon as possible.
A Call for more Cyber Investments and Training
The Executive Order also calls to increase the reporting to Congress. Although I applaud the goal, I am concerned that the increased reports will only increase the already large amount of information that is being sent to Congress, which has not resulted in meaningful improvements. I will support this reporting as long as it leads to positive change. However, I am concerned that it will only create more noise than the necessary action that industry experts agree on.
It is clear that the Department of Homeland Security (DHS), and CISA, need to be funded more. We must make the necessary investments to secure our collective infrastructure. Some are concerned that DHS will be able to recruit all cybersecurity talent, which could lead to a worsening of the growing gap in skilled workers available for hiring across public and private sectors. While it is possible that this concern will come to pass, it is still a reason why CompTIA’s workforce training programs and workforce are crucial in closing the huge skill gap.
Seven areas where we can all improve
The Executive Order identifies seven areas that need improvement. As I have said, I am pleased to see that the number one priority is to remove barriers to sharing threat information between government and private sector. This critical threat information must be shared in order to allow the government and private sectors to work together effectively to defeat the bad actors. This is something that has universal support. CompTIA ISAO and CompTIA strongly support it and are ready to help make it happen.
IT service providers to government must also share breach information. I agree that this information sharing is necessary to improve the effectiveness of our network defenses. It will be interesting for service providers to comment on how the implementation goes and what, or if, they do.
The federal government should also be implementing stronger cybersecurity standards. This is a sensible decision and the work done here will also be applicable to private industry. Multi-factor authentication, zero-trust, encryption,