As President Biden’s cybersecurity executive order (EO) reaches its year-and-a-half milestone, Federal officials today agreed that the cyber EO is different from the rest as it “has legs” and will produce long-lasting results for the government.
At ATARC’s Cybersecurity Executive Order Breakfast Summit today, Federal officials said they have witnessed a significant mindset shift within the Federal government as a result of the cyber EO, and expect that momentum to continue.
“I think a real shift with this executive order is it has legs,” said Amy Hamilton, the senior cybersecurity advisor at the Department of Energy (DoE). “This time, people are actually listening. The partnership is there, and the administration and Congress are actually working together.”
“I think what we’ve recognized is our adversaries don’t care. They don’t care the branch of the government we’re in, they don’t care the agency that we’re in, the adversary will continue to attack,” she said. “They will go after our information. They may do it for different reasons, whether it’s our intellectual property, whether it’s to attack our OT systems and to create nefarious activities – we have to improve or we are going to lose.”
Oftentimes, EOs come with a checklist that agencies will complete, only to never think about again. While this EO still comes with a “checklist,” Lisa Barr, the director of Federal cybersecurity within the Office of the National Cyber Director (ONCD), explained it’s one that will carry on beyond the EO’s deadlines.
“Sometimes when EOs come out there’s sort of a checklist of things that you do, and then you’re done with them, and they get put to the side. But we see with the EO is that the sons and daughters of the EO are continuing,” Barr said.
“We’re continuing to see a priority across our departments, agencies… there are more secretaries and deputy secretaries that our director is having conversations with about multi-factor authentication, encryption, and all these sorts of things that it’s increasing the dialogue and the priority and pressure that’s being placed on departments and agencies,” she added.
Pulling on that sons and daughters piece, Kimberly Gajewski, the deputy director for cyber policy and strategy at the Department of Homeland Security (DHS), highlighted the establishment of the Cyber Safety Review Board (CSRB) as an example of the EO’s longevity.
DHS stood up the CSRB in February – as directed by President Biden’s cyber EO – marking an unprecedented “innovative public-private partnership,” Gajewski said.
“To the point of really going beyond just what the EO might have ordered initially, this CSRB has grown, thrived, and we are actually actively looking for our second topic to pursue, so look for that hopefully in the coming months,” she said. “It is very much an enduring body, very much an enduring approach to figuring out a way to partner with private sector… to be more collaborative in the ways that we’ve learned from incidents as they occur and move forward such that we’re not repeating the same mistakes over and over again due to a lack of communication from private sector and Federal government.”
Jamie Holcombe, chief information officer (CIO) at the U.S. Patent and Trademark Office, called the EO and this mindset shift “a monumental step forward.”
Holcombe applauded the EO for being able to “change culture, to change the way people think – especially in the cybersecurity industry in the Federal government,” which he said is a very difficult thing to do.
“We are as a Federal government starting to walk our talk with a little bit more seriousness, a little more earnestness, and I think the EO really helped put us into that position,” Gajewski said.