The Biden administration is tapping several former NSA officials to lead the administration’s key cyber posts. Chris Inglis, former DD/NSA is nominated as the first National Cyber Director, Jen Easterly, former NSA intelligence officer, is nominated to head the Cybersecurity and Infrastructure Security Agency, and Anne Neuberger, former Director of CyberSecurity for NSA, has been appointed as the Deputy National Security Advisor for Cyber and Emerging Technology. There surely will be more to follow. These are experienced, highly competent professionals who will step into these roles eyes wide open in understanding the breadth, complexity, and criticality of the cyber threats our nation faces. They have been both defenders and offensive operators. I believe they will take a ‘Defend the Nation’ approach and not a ‘Defend the Government’ approach. They understand the backbone of our country is our national critical infrastructure (NCI) services, and I believe that is where they will focus. The tools at their disposal will be Executive Orders (EO), Issuance of Standards, Regulations (with compliance teeth), and Laws. I list these tools in what I consider the order of difficulty (and therefore length of time) to put them into effect.
The Cyber EO is first out of the gate. EO’s by definition are federal directives, issued by the President, that specify how the executive branch resources and operations are to be used and managed. They are not laws, and therefore do not apply to non-federal government entities. That said, the sheer size of the federal government, particularly the federal government’s procurement purse, causes private sector actors to pay attention and engage. The quote that encapsulates the intent of the EO is the following: ‘We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.’ Take out the words ‘all software’ and replace them with ‘everything’ and that’s the message.
In broad strokes the EO is focused on 1) requiring the sharing of breach data; 2) directing the move to secure cloud services, a zero trust architecture, and the use of robust authentication and encryption services; 3) branding of software on a security quality scale, visible to all (what get’s measured get’s done); 4) public/private after actions, ie National Cybersecurity Safety Board, to shine the light on what went wrong and what are we going to do about it (public pressure campaigns); 5) creation of a standard playbook for cyber incident response (repeatable process, common terminology, extendable to the private sector); 6) ubiquitous endpoint detection and response (EDR) across the USG with intra-government sharing protocols; 7) establishment/enforcement of baseline logging requirements for system activity (track the breadcrumbs to see the path).
Portfolio companies would do well to assess their own cyber practices against the norms expected in the EO. And of course, there are going to be business opportunities that arise from helping the government and all who sell to the government comply with the EO. It is my hope and my belief that this EO will not be a paper tiger. The new team is in place, they are serious, and they will use the authorities granted to them to make a difference that matters, at scale, for all.
Here are some good resources that summarize the EO: