The increasing importance of cybersecurity was underlined in President Biden\u2019s\u00a0 of May 12, 2021. This focus has been reiterated, and even more emphatically described in the context of the Russian invasion of Ukraine.\u00a0A surprising conclusion from these governmental missives is that in the high-tech world of cybersecurity, the core challenge is not advanced cryptological methods nor quantum computing, but simply implementing known best practices in the real world.I\u2019ll bet you never thought you\u2019d see a president issue an executive order describing how to handle logging, but that day has come.\u00a0 Let\u2019s take a look at what the highest levels of government are calling for in cybersecurity.Act Now to Protect Against Potential CyberattacksThe White House issued a Fact Sheet on March 21, 2022 containing a summary of cyber security actions, called Act Now to Protect Against Potential Cyberattacks. This document begins by highlighting the danger posed by Russia-based threat actors, referring to live intelligence indicating these threats are very real.\u00a0 Indeed, this warning seems to be coming true.The fact sheet describes the efforts to harden critical infrastructure like water and gas and to unify the international community in combating cybercrime like ransomware.\u00a0 It then goes on to acknowledge that the preponderance of critical infrastructure in the US is \u201c owned and operated by the private sector,\u201d rather than government.\u00a0 It directs people to CISA\u2019s Shield\u2019s Up page, a kind of clearinghouse of information on mitigating cyberattacks.\u00a0 Finally, it undertakes to outline the steps organizations should take.The suggestions range from the specific, like using multi-factor authentication, to the near-philosophical, like making security something you \u201cbake in, not bolt on.\u201d\u00a0 The overall message on the practical side is admirably comprehensible and approachable, especially when you consider the collision of bureaucracy and technology.\u00a0 Its recommendations could be summarized as:Usa MFAUse up-to-date antivirus softwareKeep in touch with your security peopleChange passwords frequentlyBack-up data to offlinePractice emergency drillsEncrypt your dataEducate employees about common attack tactics and symptomsAnd finally, engage with the FBI or CISA before an attack occurs so a relationship is already thereThen the document shifts into the more theoretical.\u00a0 To begin with, as I mentioned earlier, we should \u201cbake in\u201d security.\u00a0 This is sensible advice I suppose, meaning for those of us who are developing systems to keep security in mind all along the way, instead of trying to add it in at the end.\u00a0 Something like the security version of Aristotle\u2019s old edict.\u00a0Bearing security in mind at all times rings true, as it inspires us to think about what the security implications are as we are making changes.\u00a0 On the other hand, it has something of a resemblance to the old premature performance optimization debate.\u00a0 We\u2019re not going to wade into that here (or the test-driven development debate, or any other similar one).\u00a0 I just want to point out that software development is latent with complexity and obstacles to action.\u00a0 Security considerations must be harmonized into the equation.The next bullet point in the fact sheet makes the following statement: \u201cDevelop software only on a system that is highly secure and accessible only to those actually working on a particular project.\u201d\u00a0 This one makes the reader pause for a moment.\u00a0 It seems to have arrived at the conclusion that in order to build secure systems, we should build secure systems.\u00a0 If we are patient, the next sentence helps deliver the full meaning: \u201cThis will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.\u201dWhat the framers of this fact sheet are driving at here is actually something like a rephrasing of zero trust architecture.\u00a0 Only allow access to those resources that are strictly required by people to accomplish their legitimate tasks.\u00a0The next item on the hit list is a call for software developers to use modern tools to check for vulnerabilities.\u00a0 By this is meant tools like GitGuardian and CodeScan as well as DepandaBot and WhiteSource.\u00a0 Not surprisingly, there is a focus on open-source software components.\u00a0 It\u2019s easy to see why: OSS is used intensively and its very nature makes it available to attackers for research and exploitation.\u00a0 One of CISA\u2019s core requirements for government software is that all open-source components pass its security tests.\u201cSoftware developers are responsible for all code used in their products, including open-source code,\u201d says the fact sheet.\u00a0 This is quite a statement.\u00a0 Is a developer responsible for the vulnerabilities on the systems they deploy on?\u00a0 What exactly does \u201cresponsible\u201d mean here? \u00a0Ethically? Functionally?\u00a0 It\u2019s a door that is potentially wide open.\u00a0 The probable meaning is just to reinforce the need to know what components are going into a system, instead of simply Googling for the task at hand, and installing it from NPM or Maven or whatever repo is handy.Improving our Nation\u2019s CybersecurityUp to this point, the fact sheet is rather manageable.\u00a0 It concludes with a final bullet, however, directing the reader to take up the president\u2019s Improving our Nation\u2019s Cybersecurity executive order, a document designed to rearchitect the cyber ship of state.\u00a0 The ideas therein are now required by law for software used in government systems and recommended for others.\u00a0 It is downright sprawling, jumping from institutional mandates directing the DHS to collaborate with the OMB in sharing information with the FBI, to hands-on guidance on how logs are to be stored.Although the effort to secure such a vast ecosystem of public and private sector systems is monumental, especially in the face of motivated and well-funded nation-state actors, the basic drift of getting the cybersecurity house in order comes through loud and clear.It should be acknowledged that even in discussing technology topics the order remains even-handed, knowledgeable without becoming bogged down in detail.\u00a0 It recognizes the new reality of cloud-based infrastructure and the need to collaborate with providers in both securing systems and sharing information.A vision of public-private partnershipThe order also explicitly highlights that truly improving national cybersecurity demands a collaboration not just of government organizations tasked with the job, but between government and business\u2014a partnership of the public and private sectors is envisioned.The EO exhorts that \u201cthe Federal Government must lead by example.\u201d\u00a0 In that vision is included both all software used by the federal government (by requirement) and all software in general (by recommendation).\u00a0 This of course adds another layer of complexity to the effort.\u00a0 Not just mobilizing the government's cybersecurity apparatus, but encouraging business to do so, with all the perils that entails.In particular, it reveals the demand for not just the ability to navigate two tricky paths, bureaucracy and technology, but a third, the corporate world.A hopeful signThe order is unafraid to dive into the technology deep end and wade in the alphabet soup.\u00a0 The following section reads as though it could have been written by a software CTO.\u201cThe Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.\u201dIt\u2019s heartening to see the fluency with which the order moves from the governmental realm to the technological.\u00a0 It appears that the bureaucrats and politicians are, at the high-level at least, successfully coordinating with the technologists.\u00a0 The theory looks good.\u00a0 It remains to be seen how the ongoing implementation of these sensible ideas will go in practice.