How do you measure the success of a cybersecurity executive order?

In deadlines issued—and made or missed? In new strategies, revised frameworks and new guidelines drafted? In an overall sense of collaboration toward common security goals?

Just over one year ago, President Joe Biden signed Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” Notably, the EO focused mostly on the need for upgrades to federal networks and systems—requiring, for example, updated guidelines around the government’s acquisition of commercial software, the development of a new strategy for federal cloud security and the creation of a standard model for responding to cybersecurity incidents.

Most reporting about the recent EO anniversary was pretty in sync: agreeing that the EO was the right thing at the right time and that it helped usher in a wave of much-needed updated requirements for the federal government’s networks—but also that there is much more to be done. After all, the EO is still in its early stages.

Yet for all the good progress made over the past year, the fact that the U.S. federal government’s networks are in such need of a drastic overhaul seems almost… hypocritical. Usually, we hear about the federal government making rules for the private sector to follow, and chiding chief executive officers and chief information security officers for falling victim to hacks.

But for years, government networks have been a special kind of target for nation-state cyber operatives, criminal ransomware gangs in search of a quick buck and bored teenagers alike. Admittedly, this is partly because attackers know that governments are particularly juicy targets. But it’s also because the pace of governments is generally slower and less flexible than their private sector counterparts—meaning security upgrades can take longer and cost more. Accordingly, federal government agencies fail to meet basic security thresholds. A lot.

This weakness has often been exploited by U.S. adversaries. Cyberattacks against federal systems that are more or less sitting ducks have many times proven disastrous for national security—even if these incidents don’t usually carry the shock-and-awe power of something like last year’s takedown of Colonial Pipeline. They’re also often deeply embarrassing.

In 1998, for example, teenage hackers stole sensitive military information from poorly defended military networks in the middle of the U.S. bombing campaign against Iraq, causing leadership to assume that foreign attackers were trying to sabotage the military effort. Fast forward to the Obama administration when, over the course of about a year, it was discovered that Russian hackers were in the White House unclassified systems, the State Department and the joint chiefs of staff network. And of course, EO 14028 was itself signed just months after the discovery of the SolarWinds breach: the realization that Russian state operatives had accessed the networks of at least nine federal agencies and a hundred companies during the Trump administration. It’s been a rough couple decades for the federal government.

Yet as absolutely fascinating and undeniably sexy as those shocking cyberattacks are, the ways to prevent future incidents—i.e. the entire focus of this EO—are decidedly not. Phrases like zero-trust architecture—the very good idea that you shouldn’t just assume that everyone with a password is an authorized user, and must instead continuously prove and re-prove your identity—and the need to standardize common cybersecurity contractual requirements across agencies tend to make most people’s eyes glaze over. (And please, if you don’t believe me, feel free to read this excellent breakdown by Covington—or any of its 12 monthly follow-up articles tracking the EO’s implementation—and join me in speculating when the Federal Acquisition Regulatory Council will issue a new rulemaking on incident reporting.)

So how do you measure the impact of a densely written, 8000-word executive order jam-packed with minutiae only one year after it was written? Perhaps something like this:

Though not a panacea, EO 14028 has definitively staked out the White House’s position on the importance of getting its own (cybersecurity) house in order—something that was long overdue. It has also laid out a common strategy for the federal government and identified many of the checkpoints that it expects agencies and departments to follow. Further, the EO was crafted with the explicit acknowledgement that private industry and the government need to work hand in glove, and that what impacts one will impact the other. This is something that was rarely well-iterated and followed through in early government efforts, much to the chagrin of industry. And finally, though some deadlines have been missed and some initiatives delayed, there appears to be a good-faith effort to meet the challenging deadlines laid out in the EO.

Where the EO may be falling short is in implementation—a failure for which Congress interrogated several lead cybersecurity government executives last week. Much of last year’s efforts were targeted at research, writing and evaluation; what comes next will be putting those recommendations into action and making sure they meet expectations for their mission and goals. For example, while the government did stand up a review board to evaluate major cybersecurity incidents, we haven’t seen findings yet. In a similar vein, many agencies will fall short of multi-factor authentication deadlines.

Of course, whatever the progress made, there will always be more cyberattacks: adversaries and criminals alike won’t stop just because we’re better at defending against them. But it’s worth taking a moment to review the EO’s impact at a high level, divorced from the minutiae of what has been passed and what has not, and to acknowledge that the Biden administration and the administrative state have accomplished quite a bit in a single calendar year. Unfortunately, what comes next—compliance and implementation—may well be much harder.

Image: stuart miles