On May 12, US President Joe Biden signed a long-awaited executive order on cybersecurity—largely a policy response to the recently discovered Sunburst and Microsoft Exchange hacks. The action addresses a host of challenges, ranging from public-private sector information sharing to software supply chain security and cloud computing.
To help unpack the executive order and its impact on the private sector and federal cybersecurity, several Cyber Statecraft Initiative fellows and friends of the program marked up the document. The contributors include former senior government officials, longtime information security researchers, the Linux Foundation, and more. Below is the text of the executive order displayed with annotations from each expert. Click on the underlined text to view their thoughts and takeaways.
Analysis by Katie Nickels, Atlantic Council; Chris Wysopal, Veracode; Wendy Nather, Cisco; Kate Stewart, Linux Foundation; Nicholas Andersen, Atlantic Council; and Dr. David A. Wheeler, Linux Foundation.
Katie Nickels is the director of intelligence for Red Canary as well as a SANS certified instructor for FOR578: Cyber Threat Intelligence and a nonresident senior fellow for the Atlantic Council’s Cyber Statecraft Initiative. She has worked on cyber threat intelligence (CTI), network defense, and incident response for over a decade for the US DoD, MITRE, Raytheon, and ManTech.
Chris Wysopal is the co-founder and CTO of Veracode, an application security technology provider for software developers. Chris was one of the original software vulnerability researchers in the 90’s. He has testified in Congress on the topic of government cybersecurity.
Wendy Nather is a former CISO in the public and private sectors, and a former research director at the RH-ISAC and analyst firm 451 Research. She leads the Advisory CISOs in the security strategy team at Cisco.
Kate Stewart is vice president of dependable embedded systems at the Linux Foundation. She has over 20 years of experience in software enablement and open source collaboration, and for the last three years, she has also been a co-chair on the NTIA SBOM “Formats and Tooling” working group.
Nicholas Andersen is a nonresident senior fellow with the Atlantic Council’s Cyber Statecraft Initiative, housed within the Scowcroft Center for Strategy and Security. He currently is the CISO for Public Sector at Lumen Technologies, and previously served as the Principal Deputy Assistant Secretary of Energy for Cybersecurity, Energy Security, and Emergency Response and as the Federal Cybersecurity Lead/Senior Cybersecurity Advisor at the White House Office of Management and Budget.
Dr. David A. Wheeler, director of open source supply chain security at the Linux Foundation, is an expert on developing secure software and on open source software. Dr. Wheeler has a PhD in Information Technology, a Master’s in Computer Science, a certificate in Information Security, a certificate in Software Engineering, and a BS in Electronics Engineering; he is also a Certified Information Systems Security Professional (CISSP) and a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE).
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.