Biden’s Executive Order on Improving National Cyber Defense: Everything You Need to Know You Learned in Kindergarten

On May 12, 2021, the Biden Administration issued its much anticipated Executive Order (EO) on Improving the Nation’s Cybersecurity.

The order was issued in response to a recent spate of software supply chain and cyber breaches such as SolarWinds, Codecov, Dependency Confusion, Microsoft Exchange, and Colonial Pipeline. These all remind us that US public and private entities face increasingly hostile activity from highly sophisticated adversaries.

Understanding the EO from a technical perspective is a complicated exercise that encompasses a wide variety of motives, attack vectors, engineering concepts, and rapidly evolving defensive strategies.  Fortunately, understanding the EO from a human perspective, however, is really quite simple.  In fact, everything you need to know about it, you probably learned in kindergarten.

Wait, what?

Allow me to explain.  In its simplest form, the EO provides the following directives:

Learn to Share. 

In kindergarten, if you witnessed bad activity, you were encouraged to inform the teacher and share information.  Similarly, the EO ensures that IT service providers are able to share information with the government and it requires them to divulge certain breach information as soon as possible.  In the past, IT service providers would often hesitate to volunteer details about a compromise. There are many nuanced reasons for this, just like there were reasons why you didn’t always tell the teacher when you saw something bad happen in kindergarten. 

But here’s the bottom-line: in kindergarten kids are expected to share information to help keep the classroom calm. They’re also encouraged to say they’re sorry when they hurt somebody and clean up their own messes.  And now, as a result of the EO, IT vendors will be expected to clean up after themselves and say they’re sorry by sharing sensitive, clear information and (Read more...)