CIOs who overlook the US government\u2019s cybersecurity orders do so at their peril \u2014 and that of their enterprise. That\u2019s what former US Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs stressed during his keynote presentation at Gartner IT Symposium\/Xpo last week.\nRemarking on the Biden administration\u2019s cybersecurity executive order signed last May, Krebs said CIOs should worry less about meeting the initial order\u2019s basic regulatory compliance for security and instead harden their infrastructure as much as possible in anticipation of escalating attacks and additional cybersecurity orders in the future.\n\u201cCritical industries \u2014 those that really do tie into the continuity of the US economy \u2014 [are at risk] and I expect, based on some of the events of the last couple of years, that we will see an enhancement of those compliance regimes,\u201d Krebs said. \u201cYou don\u2019t want to end up in an environment that is just a checklist-based approach because you\u2019re spending money that could go for security programs.\u201d\nAmid highly publicized attacks such as the compromise of SolarWinds at the end of last year and ransomware attacks at Colonial Pipeline and JBS meat packers, which paid $11 million to cybercriminals, the Biden Administration in May issued an executive order that includes new mandates for software procurement and adopting multifactor authentication architectures, as well as a series of other requirements to safeguard public and private assets.\nThe recently created CISA joins the CIA, FBI, National Security Agency, and National Security Council in coordinating and broadening public-private partnerships and in enforcing the executive mandates because all cyberattacks threaten national security, Krebs said.\nCIOs across the public and private sectors are scrambling to secure their infrastructures.\n\u201cCybersecurity is huge,\u201d said NASA CIO Jeff Seaton during the Forbes CIO Next event held last week. \u201cThings will continue to move online. And so the threats that exist in the online world are only expanding. For me, for us, it is a primary area of focus.\u201d\nSeaton, who was confirmed as CIO in January after eight months as acting CIO, stressed the magnitude of the concern. \u201cIt used to be that if you were going to be attacked, you had to have physical proximity to what you were going to attack. And now it can happen from, you know, on the other side of the globe,\u201d he said. \u201cSo we have to take it seriously.\u201d\nReshaping cybersecurity requirements\nAs part of his keynote, Krebs outline four roles the US government is playing to strengthen public-private security partnerships: as consumer, enforcer, defender, and advisor.\nBiden\u2019s executive order upped the ante on security requirements for software procurement undertaken by government entities, whether on the civilian side or the Department of Defense, which is the largest consumer of IT in the US, Krebs said.\n\u201cThe software, the services, and the products that the US government [purchases] are the same SKUs and the same products that you in [private] industry regardless of sector or segment are buying as well,\u201d Krebs said, noting that manufacturers that incorporate software into their products will also be on the hook.\nThe executive order also raises the bar on quality control throughout the software development lifecycle for all manufacturers. \u201cWhen the government says do this better \u2026 the government is not the only beneficiary. It\u2019s everyone else so on the consumer side,\u201d Krebs said. \u201cIf we know the attackers are going to target the supply chain, why not hold IT vendors responsible when they produce insecure offerings like faulty cars?\u201d\nOne former government agency CIO who is now a small business owner said the private sector should run to \u2014 not hide from \u2014 the executive order\u2019s mandates because they will benefit all.\n\u201cHaving served as the CIO for the US Capitol Police and the Chairperson of the Legislative Branch of Government, I would encourage the public sector, especially federal government software\/service vendors to lean forward as it pertains to transparency, reporting, and cooperation related to cybersecurity incidents affecting the integrity of their software, impact to customer data, and the supply chain,\u201d said Heath Anderson, noting the executive order has a framework for public\/private partnership by establishing a Cybersecurity Safety Review Board.\n\u201cActive participation by private industry is critical in improving future incident responses and recovery,\u201d said Anderson, who is now CEO of Roam Advisors in Carlsbad, Calif. For the government\u2019s part, Anderson told CIO.com it is moving toward a zero-trust architecture (ZTA) and is accelerating its push toward secure cloud services.\nGovernment as enforcer and advisor\nEnforcement agencies will be on the prowl for violations of the executive order\u2019s various mandates. This includes not only law enforcement agencies such as the FBI, but also regulatory agencies such as the Securities and Exchange Commission for publicly traded companies and the Federal Energy Regulatory Commission for the energy sector.\nCISA, for its part, is not intended to be a watchdog but a \u201cvalue-driven organization, so it really does look like the private sector or at least a participant in the market,\u201d Krebs said, adding that the cybersecurity agency\u2019s investments and executive order will have a \u201ccascading effect\u201d on the government\u2019s R&D spending to the benefit of private industry.\n\u201cThe [U.S.] government needs to continue pushing into the R&D space but not just in defense and national security community but in the broader civilian space,\u201d Krebs said, claiming that China has been very adept in this area, knowing that when they \u201cinvest in their technology sector, they\u2019re doing it from a GI economics perspective.\u201d \u00a0\nAs for the enterprise, all businesses need to do a better job patching VPNs and deploying multifactor authentication, Krebs said, adding that Biden\u2019s executive order gives government agencies more leverage to provide risk management practices and help to private enterprise when needed.\n\u201cCybersecurity is not just a technical risk anymore,\u201d Krebs said. \u201cIf Colonial taught us anything, it\u2019s that ransomware [poses] a business continuity risk and functional disruption of the ability of your organization to deliver critical assets down to the client and also ensuring you\u2019re protecting your shareholders and other stakeholders.\u201d\nRoam\u2019s Anderson agrees that it is imperative that the private sector not overlook the executive order\u2019s mandates.\n\u201cWith respect to a ransomware attack or other detrimental cybersecurity incident affecting our services or customers, we need to work with government contracting to strengthen contract language, be transparent with our customers, and report and cooperate with appropriate law enforcement,\u201d he said.