U.S. President Donald Trump signed an executive order on Thursday in an effort to improve the protection of federal networks and critical infrastructure against cyberattacks.
The executive order states that the heads of departments and agencies will be held accountable for managing cybersecurity risk. They are required to use NIST’s Framework for Improving Critical Infrastructure Cybersecurity to manage risk, and they must submit reports to Homeland Security and the Office of Management and Budget (OMB) within 90 days.
The White House also wants authorities to support the risk management efforts of critical infrastructure operators, help improve resilience against botnets, and assess capabilities for responding to electricity disruptions. The Department of Defense, the FBI and the DHS have been instructed to provide a report on the cybersecurity risks facing the defense industrial base and military systems.
As for protecting Americans against cyber threats, President Trump wants an open and secure Internet, a plan for deterring adversaries and protecting citizens, improved international cooperation, and recommendations on the growth and sustainment of the country’s cybersecurity workforce.
Industry professionals contacted by SecurityWeek have shared thoughts on the implications of the executive order, its impact, and difficulties related to its implementation.
And the feedback begins…
Laurie Kamaiko, Partner, Sedgwick LLP’s New York office:
“[…] Concerns include whether the short time frames required in the new Executive Order for agencies to apply the NIST framework to their operations, identify their vulnerabilities and appropriate action plans, and prepare the reports required (90 days) will be sufficient for the agencies to properly and fully assess their cyber risks, especially if they have not yet begun that process. Also, will the funds necessary be provided once plans are assessed?
If the data security of the government itself is improved, private sector entities may be more willing to embrace privacy-public sharing of information on cyber risks. Right now, many in the private sector consider that sending their information to government agencies puts it at risk of a breach in security. However, there may now be concerns about the distribution of information shared with government agencies in light of the provisions in the Executive Order that the Secretary of Defense as well as the Directors of National Intelligence and the FBI, will be involved in the ordered effort to “support the cyber security risk management efforts of the owners and operators of the Nation’s critical infrastructure.”
Chris Roberts, Chief Security Architect, Acalvio:
“Thankfully something is now being done. That’s a positive. It has been hanging around for a while now, first with former President Obama, and then with the start of the Trump administration. I do appreciate that the federal agencies are going to be held responsible for risks within their own entrenched environments. Heck, we might actually see a set of agencies leak less than an old kitchen sieve for a change. The fact they are using NIST is a step forward, however, I would have been even happier if they had been held to PTES or some type of community testing standards as well.
Hopefully something that works, especially in light of the fact that we’re helping the National Guard work on their cyber skills, is the fact that federal cybersecurity is going to be more of a military responsibility. I’m interested to see how this plays out. Several of the .Mil family have some good skills in both offensive and defensive security. However, a lot of that brain trust is held by 1-2-3 of the core agencies. I wonder if once again we have a bullshit standoff of information withholding or if the NSA/NRO etc… are going to be more willing to share intel with the military than with the FBI etc.”
Mike Shultz, CEO, Cybernance:
“What’s the difference with this EO vs. actions that the Obama administration took? First, we’ve never had an executive order require all federal agencies to apply NIST to their entire organization. We’ve never had a mandate that requires agencies to build a comprehensive risk and mitigation report for their organization and then report to the president of the Department of Homeland Security and the director of the Office of Management and Budget. The 90-day deadline is a huge lift for an order that requires a cultural shift down to the DNA level of how we view cyber risk.
Kudos to the Obama administration for being a central force in the development of the NIST Cyber Security Framework that President Trump’s executive order now requires federal agencies to use. This executive order lights an intense fire under agency heads to be in compliance, and fast.”
Nathan Wenzler, Chief Security Strategist, AsTech:
“Section 3, item (a), especially, contains two policy items which hopefully will be leveraged to sustain the long-term improvement of our nation’s security posture: an open, interoperable Internet, and the bolstering of a cybersecurity workforce that can accomplish the necessary tasks now and into the future.
This particular section represents long-standing needs which the information security community at large has advocated for several years. An open, reliable and interoperable Internet does not cater to the preferences of major ISP corporations, it does present a level playing field in which security programs and efforts can operate in a more uniform fashion against a much larger scope of systems and web sites. Some may argue that this also makes it easier for attackers to cause damage, but, we’re already seeing consistent increases in attacks happening, even on areas of the Internet which are heavily regulated and/or filtered, so providing a more level playing field for defenders can only serve as a benefit to the nation as a whole.”
Patrick McBride, Senior Executive, Claroty:
“We are stuck in yet another round of assessments, studies, analysis and reports. We have understood the causes and implications of lax or non-existent cybersecurity protection across much of our critical infrastructure for the last decade. We need to take actions and make investments now that begin to substantially
fix the problem. We are over a decade behind.
We applaud President Trump for addressing cybersecurity and specifically focusing on critical infrastructure. However, the EO had the opportunity to go beyond more studies and reports and to take some actions. We hope the President’s planned investments in US infrastructure will include meaningful investment in modernizing our critical infrastructure.”
Nathaniel Gleicher, Head of Cybersecurity Strategy, Illumio:
“The focus on securing federal networks is appropriate and needed — this is exactly where we should be investing right now, especially given the scope and scale of the threats targeting federal systems today, and the challenges we’ve faced with keeping these networks secure in the past.
The two most encouraging parts of the EO’s focus on securing federal networks are:
- The requirement that agencies follow the NIST framework. This is a concrete step towards standardizing security strategy across the federal government.
- The signal that dept/agency heads will be head accountable for the security of their organizations. Ensuring a serious focus on cybersecurity starts with ensuring that organization leaders are responsible for the security of their institutions, and will feel the impact of their choices directly. We need to make sure org leaders have the support & resources they need to make good choices, but holding them accountable is the best way to incentive smart investment in security.”
John K. Adams, CEO, Waratek Inc:
“Today’s Executive Order is a needed first step, but it is just that…a first step. Executive Orders merely set the tone for the policy and funding work that will follow. And this one has a long tail.
Government measures time in legislative sessions and election cycles. Business leaders in annual budget cycles. Cybersecurity experts measure the passage of time in the numbers of attacks per hour/minute/second. That’s a fundamental disconnect that keeps us from effectively addressing the seemingly endless series of breaches from cyberattacks.
If this Executive Order is successful in creating the platform for all the parties to work together and work faster, it will have been a rousing success. If the status quo does not change, there are a lot of technologists who will continue to hide under their desks out of fear of what’s coming next.”
Eddie Habibi, CEO and Founder, PAS:
“We were particularly encouraged to see deterrence take a front seat in the EO. Attacks – especially from nation-sponsored groups – have become so commonplace that the Associated Press recently changed their definition of a cyber attack to include only ones that result in physical damage or widespread destruction. They did this, in part, so the public does not become inured to the ongoing risk we face as a country.
The reason these attacks are commonplace is that they have little consequence for the attackers. The federal government has a role in raising the bar on consequence. A nation-state cyber attack on the industrial control systems in a refinery that results in physical damage or injury is no different from dropping a bomb on that refinery. So long as attribution is clear, consequences must include the option of a proportional kinetic response. An orchestrated cyber attack on a volatile industrial facility can have the same result as a tactical WMD, which means we need to start treating it as such.”
Jack Kudale, CEO, Lacework:
“This executive order highlights critical topics in nation’s cybersecurity efforts such as – migration to hybrid cloud infrastructure, shortfall in cybersecurity talent, and the importance of standards, such as NIST, for various government agencies. Essentially, this will bolster federal partnerships with the private sector as securing hybrid cloud workloads becomes critical where government and financial services traditionally lagged behind their commercial and industry counterparts.
Furthermore, this will put immense pressure on traditional security tools used in the government today for innovation so that their dependence on skilled cybersecurity resources is minimal. Finally, we believe suppliers that are heavily dependent on policies, rules and logs will have to take a backseat in the new cybersecurity stack.”
Steven Grossman, VP of Strategy, Bay Dynamics:
“[One] great feature is that the order promotes accountability, assessment and remediation of cyber risk across many stakeholders in the agency, those in and outside of security. Cyber risk management cannot solely be the IT and security team’s problem. Stakeholders across the business from application owners who govern highly valuable assets to upper management who make investment decisions, must be involved in taking action to reduce risk.
The order contains many positive steps that, when implemented, should significantly help reduce risk. However, we would like to see more continuous monitoring requirements instead of just periodic compliance like assessments and remediation. The order should not be viewed as yet another compliance checkmark; it should be a continuous process.”
John Kronick, Director ATG Cybersecurity Solutions, Stratiform:
“While the Executive Order mandates use of the NIST cyber security framework (CSF), it does NOT require CSF training agency users of the tool, and there has been a lack of consensus on how best to use the CSF within the agency, how to remediate findings, and consequences for not addressing CSF gaps and issues.
There will, no doubt, be a flurry of reports generated as a result of this Executive Order, and just like the GAO studies and reports, follow up actions on these reports tend to get pigeon-holed and superseded due to competing priorities or budgetary pressures. And besides, the CSF does provide the option of not addressing risk issues at the discretion of the risk owner. Who will make CSF report owners accountable for the findings of the reports? Will there be a process established by the GAO or OMB to “audit” the agency CSF risk assessments? If so, how often?
Then there is the challenge of finding sufficient competently trained IT cybersecurity staff to initiate the CSF within the agencies and departments. Developing this process will take time.”
Keith Lowry, Senior Vice President, Business Threat Intelligence and Analysis, Nuix:
“[…] The new executive order falls seriously short, however, in that it fails to recognize that cybersecurity is more than an IT problem. All cybersecurity threats beg
in and end with humans. Another shortfall is in separating the human from the methodology of attack (using IT) will prevent the creation of the best cyber defenses. All cybersecurity events can be categorized into three main aspects: people, data, and process including IT infrastructure. Leaving out any one of these three dimensions simply creates the illusion of protection.
Additionally, being able to correlate all three aspects (People, data, and process) on a single “pane of glass” for analysis is key to threat mitigation. Lastly, no one organization is designated as in charge of cybersecurity. This needs to be elevated to a single agency head to avoid infighting, confusion, and Washington gridlock.”
Phil Quade, CISO, Fortinet:
“Though the EO speaks briefly to the protection of critical infrastructures, it’s careful not to over-play the executive branch’s hand. Since much of our critical infrastructure is owned and operated by the private industry, it is essential that we develop public-private pilots that allow different teams to join forces, while creating ‘muscle memory’ by working together, to ensure that appropriate protections and counter-measures are available and to guarantee operational readiness in the event of an attack or breach.
Philip Lieberman, President, Lieberman Software:
“If there is no budget from Congress for the order, it will have little real effect. All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics.
Unfortunately, NIST does not provide specific guidance on how to solve problems, only on pointing out the problems to be solved. Some of their guidance is a little off-base and not helpful – for example, they recently put out a report stating that they no longer believe that users should change their passwords regularly.”
Sanjay Beri, CEO, Netskope:
“The President’s executive order does not propose a concrete plan for cybersecurity, it merely calls for a top to bottom review of where things stand. While this is a step in the right direction, kicking the can down the road leaves remaining questions about what exactly the administration’s plans are for tackling what has arguably emerged as the single most existential threat to our livelihood: defending our cyber infrastructure.
What’s more, the administration has yet to fill the Federal CISO vacancy, leaving the government without a leader at the helm to help implement and enforce security policies and practices. For a president so concerned about establishing a positive legacy, this seems an obvious — and critical — area to address.”