A year after President Joe Biden signed a sweeping executive order to better secure federal networks from hackers, senior cyber officials insisted progress has been made — even though compliance with key portions of the directive remains uneven.
Biden issued the order in response to the SolarWinds digital espionage campaign carried out by the Russian government, which infiltrated at least nine federal agencies and about 100 companies.
The president set deadlines for more than 50 different reports and actions — including mandating agencies encrypt their data, enable multi-factor authentication to back up passwords and update plans for safely using cloud hosting services — in an attempt to overhaul the way the government defends itself against cyberattacks.
“The security of our nation will be drastically improved when the goals of the EO have been met, and we feel we’ve made tremendous progress over this first year,” Federal Chief Information Security Officer Chris DeRusha told the House Homeland Security Cybersecurity Subcommittee on Tuesday.
Eric Goldstein, the head of the Cybersecurity and Infrastructure Security Agency’s cyber division, said the order “took important steps” toward changing how the government handles cybersecurity. But “we have a tremendous amount of more work to do” on digital investment and modernization within the executive branch, he added.
Lawmakers on both sides of the aisle expressed concern that agencies are falling short of the order’s benchmarks.
Rep. Andrew Garbarino (N.Y.), the subpanel’s top Republican, asked what “less cyber mature” agencies could do to catch up.
David Shive, the General Services Administration’s chief information officer, advised entities to make sure cybersecurity is part of every business plan and to ingratiate themselves in the larger cyber community in order to gain additional know-how.
Rep. Ritchie Torres (D-N.Y.), the Homeland Security Committee’s vice chair, noted that Biden’s order required all agencies to either implement multi-factor authentication by November or provide a reason for failing to do so.
Torres said he and Rep. Yvette Clarke (D-N.Y.), the subcommittee chair, sent a letter to CISA Director Jen Easterly earlier this year about compliance and that she “promised” most agencies would be compliant by mid-March.
“I would say every agency with the capacity to deploy MFA and encryption has done so in almost all cases,” Goldstein replied after being pressed by the New York Democrat.
“Do you have a number?” Torres asked.
“I don’t, sir,” Goldstein replied.