President Biden’s Cybersecurity Executive Order Calls for a Drastic Shift. But Will it be Enough?

Just after President Biden was elected into office, he openly declared that cybersecurity would be among his top priorities.

Every modern president has created a myriad of executive orders (EO) related to national security initiatives, but many have fallen short.

The most recent, and perhaps most promising, effort was the March 2020 Cyber Solarium Commission Report. Like the 9/11 Commission that came before it, the Cyber Solarium Report makes bold recommendations for a restructured American cyberspace. President Biden's own EO has taken inspiration from the report, calling for federal agencies and the private sector to work more closely together in order to share information and deploy technologies that increase US resiliency against cyberattacks. But simply calling for change is rarely enough, especially when it is the government calling for change that needs to occur in private sector.

President Biden noted in his May 14 press conference that "it is clear to everyone that we need to do more than what we are doing now and the federal government can be a significant value added in making that happen."

Enter the cyber executive order. Citing both the Solar Winds and Colonial Pipeline hacks as catalysts for change, the EO calls for a series of initiatives that aim to minimize the frequency and impact of attacks of this nature. While it shouldn't have taken events of this magnitude and government intervention to convince businesses to significantly improve their cybersecurity programs, the whole world will likely benefit from emulating this effort should the private sector comply with new government led cybersecurity standards.

The "executive order makes a down-payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely," a senior administration official told reporters. "It reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security."

Broadly speaking, the EO calls for:

- Creating new IT security rules for select federal contractors
- Requiring federal agencies to implement additional IT security measures
- Setting standards for commercial software
- Creating a national review board
- Standardizing the government's incident response plan

So, will it be enough?

Lawmakers have generally applauded Biden for his declaration, praising the program on its goal to "educate the public on the security capabilities of internet-of-things (IoT) devices," and being a "good first step."

Congressman Jim Langevin (D-RI), chair of the House Armed Services Subcommittee on Cybersecurity, Innovative Technologies, and Information Systems and a member of the Cyberspace Solarium Commission, issued a statement saying, "Cybersecurity is the most urgent national security challenge facing our nation, and I applaud President Biden for taking action early in his term to address and eliminate glaring vulnerabilities."

From a security standpoint, experts aren't as optimistic. The EO, which contains 46 action items, currently lacks clarification on how it will achieve many of its goals.

Gordon Bitko, Senior Vice President of Public Sector Policy at the Information Technology Industry Council (ITI), wrote in Forbes: "There are not enough resources to meet existing cyber requirements, so the new ones levied by the EO only increase the depth of technical deficiencies and create negative incentives for government cyber staff to check requirement boxes instead of doing effective work. A lack of provision of appropriate resources could directly undermine the success of the EO."

While it is far from perfect, the executive order acknowledges some of the flaws of the outdated cybersecurity model, while creating a new security template founded in zero trust. Now the challenge will be to secure the right bi-partisan leadership and funding to effectively carry out their plans.