Signs of notable change in federal cybersecurity posture; who stands to benefit?

The U.S. federal government has generated a flurry of orders, pronouncements and guidelines over the past year aimed at helping government entities and the private sector deal with an increasing number of high-profile cyberattacks.

The words are remarkably similar to what policy makers have written over the past 25 years. Most would say these policies led to actions that fell well short of their goals.

Skeptics say this time will be no different, but we see several signs the current measures will create sustained momentum toward a meaningfully improved cybersecurity posture.

We think prospects for this change bode well for companies that can tap into spending by the U.S. federal government as well as those that serve companies that supply and partner with the government, and we highlight some of the potential winners and losers from such a change.

The U.S. federal government has generated a flurry of orders, pronouncements and guidelines over the past year aimed at helping government entities and the private sector deal with an increasing number of high-profile cyberattacks on a variety of assets, including critical infrastructure. The most prominent measure is Executive Order 14208, signed by President Biden on May 12, which has eight major provisions and directs several agencies to take specific actions by specific dates. While this measure is more specific and prescriptive in some areas relative to past measures (and as the headlines of the sections indicate, quite broad in scope), overall, the order is remarkably similar to numerous other executive orders on cybersecurity we’ve seen since the advent of the internet, starting with Executive Order 13010 in 1996 by President Clinton and running through orders issued by presidents Bush, Obama and Trump, a sample of which are shown in Table 2.

With each order, organizations that track cybersecurity risks hoped the government was finally waking up to the magnitude of the problem and taking definitive action to protect itself. These measures were greeted with enthusiasm by cybersecurity companies hoping to gain business from increased federal initiatives and directives. But while the government and society are no doubt marginally more secure because of these efforts, most would say they fell well short of their promise. Bureaucracy hindered implementation while technology advanced quickly, leaving overall cybersecurity risk as great as ever.