InfoSec Opinion Column #1 (January 21, 2025)

Consider it the Axios of what matters in cybersecurity. Or the Hacker News comments section, depending on the day. All hand-curated, no AI involved.

What: Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity

Why it matters: This was the final chance for the Biden Administration to try to shape US cybersecurity policy, and it has resulted in one heck of an EO that covers a lot of ground.

tl;dr:

• "Improving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across agencies and with the private sector are especially critical to improvement of the Nation’s cybersecurity."
• There's a lot that doesn't have a direct impact on the private sector. For example, the EO directs Federal agencies to start working on implementing encrypted DNS, using end-to-end encryption in internal communications (including video chat/Zoom), and strengthening BGP security for Federal networks.
• Where things do start to impact the private sector is when we start thinking about FedRAMP and supplying software to the Federal government. The EO is pretty pointed about the failures of software vendors who claim to be secure, but ship vulnerable products.
• "In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise.  The Federal Government needs to adopt more rigorous third-party risk management practices and greater assurance that software providers that support critical Government services are following the practices to which they attest."

Matt's view: An Executive Order isn't just the President sitting down and hammering out some bullet points on a typewriter. Dozens if not hundreds of stakeholders are involved, and the wording of every single sentence is debated. I've had an inside look at lobbying campaigns where the only goal was to get the phrase "digital innovation" inserted into a politician's speech, so you can imagine how much more important an EO that regulates the entire US government is. Now, in terms of the practical impact for private sector companies, it remains to be seen if the incoming administration decides to entirely undo everything here (which they can do unilaterally.) By and large, this seems to be more a political move attempting to make sure CISA has the authorities it needs to improve the software supply chain for Federal procurement. I'm sure a bunch of contractors will lobby against stricter rules as we get to implementation as well. Nonetheless, this is one of the more promising and forward-looking statements on cybersecurity to come out of the White House in some time, and I'm hopeful it at least moves us in a directionally-correct way towards better security.