Connect with us

Hi, what are you looking for?



Federal Agencies Respond to 2017 Cybersecurity Executive Order

Federal Agencies Respond to 2017 Cybersecurity Executive Order

Federal Agencies Respond to 2017 Cybersecurity Executive Order

The U.S. Department of State, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Management and Budget (OMB) last week published reports in response to the cybersecurity executive order signed by President Donald Trump last year in an effort to improve the protection of federal networks and critical infrastructure against cyberattacks.

Department of State on deterring adversaries

The Department of State has published two reports with recommendations to President Trump on reducing the risk of cyber conflict, detering malicious actors, maintaining an open and interoperable Internet, and protecting the country’s cyber interests through international cooperation.

The State Department believes the United States can deter both state and non-state actors using two approaches: improving the security of its networks, and through “cost imposition.”

The goal is to prevent cyberattacks that can be classified as use of force, and a long-lasting reduction of less serious destructive and disruptive activities that fall below the use of force threshold.

“The President already has a wide variety of cyber and non-cyber options for deterring and responding to cyber activities that constitute a use of force. Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence,” the State Department’s report reads.

It adds, “With respect to activities below the threshold of the use of force, the United States should, working with like minded partners when possible, adopt an approach of imposing swift, costly, and transparent consequences on foreign governments responsible for significant malicious cyber activities aimed at harming U.S. national interests.”

Advertisement. Scroll to continue reading.

Criminal charges, prosecutions and sanctions can represent an efficient deterrent, but the government should make it clear to potential adversaries that they would face consequences if they engage in malicious cyber activities. However, these types of actions may not deter some threat actors, such as terrorists, in which case the solution is increasing the operational cost and complexity for the adversary to achieve its goal, the State Department said.

OMB report on cybersecurity risk determination

The Executive Office of the President through the OMB has published a Federal Cybersecurity Risk Determination Report and Action Plan, which assesses cybersecurity risk management capabilities across federal agencies and provides recommendations on addressing gaps.

An analysis of 96 civilian agencies showed that 71 of them had been assigned an “At Risk” or “High Risk” rating for their ability to identify, detect and respond to cyber incidents and recover from them.

“OMB and DHS also found that agencies are not equipped to determine how malicious actors seek to gain access to their information systems and data. This overall lack of timely threat information means agencies are spending billions of dollars on security capabilities without fully understanding the dangers their facing in the digital wild. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact Federal cybersecurity,” the OMB said in its report.

The OMB and DHS have detailed the actions required to address cybersecurity risks and say they have already started implementing them.

Department of Commerce and DHS on enhancing resilience against botnets

The Department of Commerce and DHS have published a report on enhancing the resilience of the Internet against botnets and other automated threats.

After collecting data on the matter, the agencies determined that international collaboration is needed due to many devices ensnared by botnets being located outside the U.S. They also believe this challenge can only be solved through collaboration between different stakeholders.

The organizations found that while the tools and processes required to address the problem exist, they are not applied in some market sectors due to various reasons, including budgets, lack of awareness, lack of incentives, and insufficient technical expertise.

“The recommended actions and options include ongoing activities that should be continued or expanded, as well as new initiatives. No single investment or activity can mitigate all threats , but organized discussions and stakeholder feedback will allow us to further evaluate and prioritize these activities based on their expected return on investment and ability to measurably impact ecosystem resilience,” reads the report from the DHS and the Department of Commerce.

DHS and Commerce on cybersecurity workforce

The DHS and the Commerce Department also published a report on supporting the growth and sustainment of the United States’ cybersecurity workforce.

According to the report, there had been nearly 300,000 cybersecurity-related job openings in the United States as of August 2017. The agencies believe veterans represent an underutilized workforce supply, and women and minorities are underrepresented in the field. They admit that while pay for cybersecurity roles is typically above average, the government pays cybersecurity staff below the level needed to attract the necessary talent.

“A successful cybersecurity workforce strategy for the Nation should include an enhanced focus upon the value of diversity and inclusion and convert it into a potent resource that can be used to great advantage. Fostering and sustaining a diverse workforce will support the ability to find new talent to carry out this effort and to uncover novel ways to solve problems. Integrating cyber security concepts in to our primary and secondary education curricula will generate early interest in cyber security in a manner that cuts across all sectors of American society. Among workforce – aged adults, veterans, women, minorities, and the economically disadvantaged should be aggressively recruited, without compromising required standards,” the report reads.

Related: U.S. Energy Department
Unveils Multiyear Cybersecurity Plan

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.