This blog is an excerpt of our deep dive perspective on the public and private sector implications stemming from this federal directive. Get the full report.
At first blush, President Biden’s executive order on national cybersecurity1 may appear to be timely – a direct response to a series of crippling ransomware attacks on critical U.S. infrastructure. As the world attempted to recover from a devastating pandemic, hackers successfully targeted hospitals, then daily necessities such as food, water, and energy supplies, causing panic and disruptions. Immediate federal government action to address these and future threats is certainly necessary.
Unfortunately, the executive order is neither perfectly timed nor a comprehensive enough response to one of the most serious national security challenges of our time. The cybersecurity industry has been sounding the alarm bells on ransomware threats for years. Concerns were on the rise well before the pandemic, as organizations began accelerating latent digital transformations and expanding access to insecure operational technology (OT) assets. However, since the pandemic, this has been further compounded by the massive expansion of cloud migrations and meteoric rise in VPN deployments, opening up exponential numbers of new entry points for cyberattacks. There were consequences: Digitizing without adequate OT/IT security enabled hackers in Russia, North Korea, and Iran to seize control of key American businesses without even setting foot on U.S. soil – attacks that could have been prevented.