With our footprint of research across the cybersecurity sector over the past decade, we have valued Executive Orders from respective Presidents that strengthen the context for taking required actions to provide protection against cyber threats. Our research several years ago, for example, highlighted the systematic weaknesses across the government sector, with ransomware being the threat of highest concern. On page 11 of our 2021 report, we said in relation to the United States:
The Biden administration is placing increasing emphasis on developing resilience in the face of cybersecurity threats against the government and other industry sectors. Ransomware is a key concern, considering recent disruption to critical infrastructure such as the Colonial Pipeline and JBS attacks. While there is a high focus on better securing government agencies, the administration is also directing American businesses to take cyberthreats and ransomware seriously. Many of the directives parallel what is required of government agencies. Three specific initiatives from the United States government are:
- Executive Order on Improving the Nation’s Cybersecurity
Issued in May 2021, Executive Order 14028 mandates improved information sharing on cybersecurity between the U.S. government and the private sector, requires stronger cybersecurity standards within the federal government (e.g., widespread adoption of multi-factor authentication, encryption, and zero trust), removes current barriers for service providers to share threat intelligence, elevates the importance of security in the software supply chain (including visibility into software composition), and establishes the Cyber Safety Review Board to analyze significant cyber incidents and make recommendations, among others. The administration is working with private sector organizations to improve the nation’s cybersecurity readiness, has
secured significant commitments from Apple, Google, Microsoft, and Amazon, and is working with others to address the cybersecurity skills shortage. - Joint Cyber Defense Collaborative (JCDC)
Part of the Cybersecurity & Infrastructure Security Agency (CISA), the JCDC was created in 2021 to lead the development of cyber defense plans in the United States to safeguard critical infrastructure and national interests. Its mission includes working with private and public sector organizations. - StopRansomware.gov
Multiple federal government agencies, including the Department of Homeland Security and the Department of Justice, launched a one-stop resource for combating ransomware. Released in mid-July 2021, the website consolidates the ransomware resources from all federal government agencies into a single location, replacing the previous approach of resources being distributed across a variety of locations.
While we didn’t state it in these words at the time, we were applauding the actions of the Biden Administration to strengthen the fabric of cybersecurity as it affected government agencies and the private sector.
CISA gets a mention above. CISA wasn’t created by President Biden. That was an action taken by President Trump in November 2018 via the CISA Act, where an existing program inside the Department of Homeland Security was reorganized and rebranded. The leader of the earlier DHS program – Christopher Krebs – was appointed the first director of CISA. Over the next several years, CISA took an activist role in championing for heightened cybersecurity across the United States (and beyond). Our research has referenced the following articles and updates from CISA:
- CISA Launches Campaign to Reduce the Risk of Ransomware
- Alert AA20-345A – Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
- Joint Cyber Defense Collaborative
- Executive Order on Improving the Nation’s Cybersecurity
- Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
- Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- Shields Up
- Selecting a Protective DNS Service
- StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems
- ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
- FY22 Risk and Vulnerability Assessments (RVA) Results
- CISA Releases Analysis of FY22 Risk and Vulnerability Assessments
- CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments
There was a lot more in addition to the above list that CISA did in providing leadership and direction, and as with the actions above from the Biden Administration, we applaud their contributions.
Our hands are not clapping for the recent Presidential Memoranda targeting Christopher Krebs, SentinelOne, and CISA. Christopher Krebs earlier bore the public brunt of President Trump’s ire after disagreeing with the President on the security of the 2020 election, a stance for which he was fired from his director position at CISA via Twitter. Five years later, President Trump appears to seek additional retribution for this stance against Krebs personally, even though the overwhelming weight of evidence after 60 court cases on alleged election fraud backs Krebs not Trump.
This Presidential Memoranda is very bad form, in bad taste, and opens the door to a President throwing the weight of the US Government against a named individual who is perceived as an opponent. This is not behavior consistent with what we want our children to view as appropriate for the President of the United States.
The Presidential Memoranda and all related statements should be rescinded immediately, the consequential active investigation into Christopher Krebs cancelled forthwith, and the sanctions against Krebs and SentinelOne lifted.
On one point, however, we do agree with a statement in the Presidential Memoranda, albeit with a wording change. The directive to “do a comprehensive evaluation of all of CISA’s activities over the last 6 years” is a worthwhile activity. The wording change, however, is that it should not focus on points where conduct “appears to have been contrary to the purposes and policies in Executive Order 14149.” A much better standard would be alignment with the major cybersecurity challenges facing the United States over the next 20 years, which includes election security and countering the proliferation of disinformation and misinformation that undermine election integrity. This would position the agency for ongoing relevance over the long-term, not one that is weakened by short-term partisan vendettas.