Trump’s Cybersecurity Executive Order Should Serve as a Starting Point, Not the Be-all-end-all for Ensuring a Comprehensive Program
President Trump recently signed the much-awaited executive order focused on strengthening the cybersecurity of federal networks and critical infrastructure. It is a wide-ranging order that touches on everything from the need for an agency-by-agency risk assessment to dealing with outdated infrastructure, botnets, and driving a cyber educated workforce.
The executive order is a solid step towards improving the security posture of government, with a focus on a risk based approach.
At the core of the assessment process is the NIST Cybersecurity Framework, which has been broadly adopted in the private industry and government as a benchmark against which to assess their security programs.
While it certainly does not address every nook and cranny of cybersecurity, it serves as an overarching framework and common language. Users should think of it as a starting point, but not the be-all-end-all for ensuring a comprehensive program.
Few sizable agencies or enterprises realistically have everything they need to know at their fingertips to comprehensively evaluate every aspect of their program against the framework. The initial assessment will require a lot of manual data gathering to properly characterize their operation against the many different requirements. Along the way, identifying the source of the information will allow for more complete automation, leading to a continuous monitoring mode of operation.
Like any other regulation or compliance requirement, one of the dangers of an order like this latest one is that it can take on a life of its own, leading to stakeholders losing the forest for the trees.
The executive order is intended to provide motivation and guidance for agencies to get their house in order, and cannot possibly prescribe every step in the process (nor would anybody want it to).
It is important for practitioners and stakeholders in the government to be mindful of the goal of a more secure government, and not consider the end goal as being a report after 90 days and every year thereafter.
The order is an opportunity for government CISOs to rally the troops across their agencies to initiate a cyber risk management process with a mindset of continuous compliance, shifting the mindset of all functions to thinking daily “is what I am doing putting my agency’s data and systems at risk?”
One aspect of the order that supports the concept of making security everybody’s business is the requirement to establish integrated teams of senior executives across IT, security, budgeting, acquisition, law, privacy, and human resources. It emphasizes that this is not a problem that will be resolved by the CISO or CIO alone, but requires a comprehensive team effort across the agency’s functions.
The order promotes a risk based approach. Note the repeated references to “Cybersecurity Risk,” and the notions of risk and asset value in statements like “commensurate with the risk and magnitude of the harm,” and the sections on “Support to Critical Infrastructure at Greatest Risk” and “Assessment of Electricity Disruption Incident Response Capabilities.” This risk based approach encourages agencies to prioritize risks to their most important missions vs. only focusing on technical prescriptions like vulnerability scanning or the such. It is an approach that speaks a common language of risk, familiar to those outside of security, and is certainly near and dear to the defense side of government.
In addition to the traditional aspects of cybersecurity, the order also touches on other activities that indirectly but significantly impact government agencies’ cyber risk posture.
Many agencies and private enterprises would rather leave sleeping dogs lie, not touching functional though outdated systems, and do not pay enough attention to the residual risk associated with the inability to patch an outdated OS or application. The sections of the order that address the risks associated with “antiquated and difficult–to-defend IT” promote assessing the cost of exposed IT infrastructure against the cost of replacement, a mantra often heard from former federal CISO, Ret. Gen. Greg Touhill (aka “Touhill’s law”).
Finally, the last section that addressed developing the cyber skills and competency in the workforce is critical. We in the industry are all familiar with the challenge of finding and keeping quality people with cyber experience. Shining more light on the problem and promoting training can only benefit the industry as a whole, but there also needs to be a more immediate plan in place for response, until that ramp up occurs. Automation of mundane repeatable tasks is critical to an effective cyber security program, and allows human resources to focus on the higher level activities not suitable for automation.
Overall, I applaud President Trump’s executive order and hope that it provides the incentive to raise the bar of our government’s cybersecurity posture. In combination with the many active government programs that are already in motion, such as Continuous, Diagnostics and Monitoring (CDM), it can only help move the ball forward.