President Biden’s cybersecurity executive order (EO) could mark a turning point against ever-more audacious cyber threats. Its scope is ambitious. Its demands for speedy action are significant. And it signals clear White House intent: to make real this administration’s stated focus on overhauling national and federal cyber defense.
Agencies are moving out fast to fulfill the EO’s mandates. But amidst this scramble, it’s easy to miss the thematic transformations bubbling under the EO’s surface. There are five of these — and they’ll undergird the future of national cybersecurity.
First, CISA is in the express elevator, rising fast to federal cybersecurity leadership. The EO turbocharges Cyberspace Solarium Commission recommendations, FY21 NDAA provisions, and an executive and legislative branch groundswell to codify CISA as the authoritative driver of federal and national cyber defense. This is a sea change: After 30 years without a clear federal cybersecurity leader, the rose is pinned — perhaps even superglued — on CISA.
Can CISA meet the moment? We believe it will. There are, however, a few prerequisites:
- Budget stability (and growth), to sustain, bolster, and transform foundational federal cybersecurity programs.
- First rights to the very best cyber talent in government and industry, even if there’s a premium price.
- The power to centralize government purchasing of cyber technologies to elevate quality and performance at lower cost.
- And direct channels to the West Wing for consistent political top cover.
Congress and the administration need to deliver these prerequisites — and then aggressively hold CISA and agencies accountable for results.
Second, security is about the entire extended digital ecosystems, not classic enterprise boundaries. And ecosystems morph, continually. In our software, cloud, and everything-as-a-service world, there’s no enterprise boundary. Organizations must have visibility into every element of their digital ecosystem, every strand of their supply chains.
EO-related efforts to develop standards and guidelines for supply chain security are helpful, as are February’s mandated agency supply chain reviews. But the key isn’t more checklists and questionnaires. It’s better risk management. It’s cyber threat modelling, emulation, and testing, to understand how real bad guys might attack via real ecosystem and supply chain weak links. And then aggregating those models at the federal or U.S. government levels and using them to prioritize remediation of the biggest security gaps.
Third, the era of security tools has reached its peak. The strategy to overlay more and more products and tools is often ineffective, redundant, and cost prohibitive.
Agencies shouldn’t try to tool-buy their way through EO requirements. The key is building a more defensible, resilient, and modernized digital infrastructure based on zero trust principles.
Fortunately, the EO makes the zero-trust imperative clear. But how agencies should operationalize and implement zero trust security operations is more opaque. We need federal-wide maturity models, readiness assessments, and agency-tailorable blueprints to make zero trust real at scale.
Fourth, cybersecurity is about operationalizing the data. Cyber defense operations are overweighted toward reactive detection and response. These functions matter, but we can get ahead.
Automated vulnerability management and, especially, persistent threat hunt will enable agencies and CISA to finally outpace threats — only, however, if organizations do a better job of harnessing security data and applying the advanced analytics that address vulnerabilities and reveal threats before they strike.
In cyber defense operations, speed, precision, and accuracy matters. High quality data, advanced analytics, and automation are key enablers. Critically, this needs to happen within agencies and organizations, and at CISA — where we can get federal-wide insights into adversary patterns and behaviors to ensure collective defense. Data is the fuel that lets the defenders move faster than the attackers; the future of cybersecurity is data driven.
Fifth, it’s time to go beyond information sharing.
There is a need for a new collaboration model for the public-private sector to facilitate information sharing and reduce operational, reputation and financial risks. A public-private cyber intelligence and information exchange would enable more contextualized threat intel to allow organizations to better defend against advanced persistent threats.
Biden’s EO starts to pave the way, with its focus on commercial reporting of cyber incidents. But there’s even more that can be done. Collaboration, not just information sharing, is key.
So, what now?
Yes, agencies need to get the EO mandates done. But it’s also imperative to keep focused on achieving these larger transformations the EO seeds. This is an opportunity for CISA — in its ever-more pronounced leadership role — to drive a vision and provide a “North Star” for what good federal and national cybersecurity looks like.
Patrick Gorman is an executive vice president at consulting firm Booz Allen, and leader of the firm’s cybersecurity business. He has over 35 years of experience in technology risk management and cybersecurity.