On Thursday, President Donald Trump signed a long-awaited executive order on cybersecurity.
Mainly, the order requires a number of cybersecurity reviews across the various agencies of the federal government, in order to determine what must be done to strengthen federal computer systems, as well as United States’ critical infrastructure.
Here are some industry reactions to the executive order Help Net Security received.
Leo Taddeo, CISO at Cyxtera Technologies
What the order does:
- The very first section of the order puts federal agency heads on notice that the President will hold them accountable for the effective management of the cyber risk within their respective agencies. While agency heads have always been accountable, this explicit assignment of responsibility elevates the issue and should focus more attention on addressing the threat.
- The order requires agency heads to implement the NIST Risk Management Framework to develop assessments and plans. This is an important step in normalizing the process for risk management within the federal government. It’s also a big boost for the NIST approach and will likely lead to broader adoption in the private sector as well.
- The order directs agency heads to show procurement preference for IT Shared Services, including email, cloud, and cybersecurity services. While the push toward shared services is not new, it is important to note the emphasis of “cloud” in the context of a cybersecurity order. This is a change from the past, where IT professionals avoided the cloud because it was perceived to be less secure. The President’s endorsement of the cloud shows that the more common thinking today is that cloud means higher security. Companies providing security solutions in the cloud, such as Cyxtera, may see an uptick in federal business as these preferences translate to projects and spending.
- In Section 2, the order directs an examination of federal policies that promote appropriate market transparency in cybersecurity risk management for publicly traded critical infrastructure entities. This appears to be an attempt to allow investors to gain better access into the cyber risks faced by the infrastructure companies they invest in. This is a novel “market” approach to creating a financial incentive for infrastructure entities to take steps to protect themselves.
- The order directs agencies to promote stakeholders to promote action against botnets. This is a forward-looking goal, as the threat from hijacked devices in the “internet of things” looms over the horizon. Unfortunately, we will have to wait for the plan to see the specific proposed solutions.
What the order does not do:
- The order is not a plan to fix the federal government’s cybersecurity challenges. Instead, it’s a directive to each agency to implement the NIST framework to assess the agency’s cyber risks and create plans to mitigate them. The task of judging the adequacy of the assessments and the plans falls on DHS and OMB. This is a risky approach, given DHS’s questionable track record in cybersecurity.
- It does not direct any new spending on cybersecurity. Assessments and plans are relatively cheap. The real pain will come when the only way to become more resilient is to spend large sums on new infrastructure and highly skilled staff. These decisions are left for an undetermined later date.
Overall, it appears the order implements important first steps. It highlights the cybersecurity issue, put agency heads on notice that they are accountable, and directs them to assess the risk and develop plans to mitigate them. This is a solid approach. The question is whether agencies will be able to execute the plans within reasonable spending constraints. The best hope in the order is the emphasis on shared services as a means to increase cybersecurity and reduce spending.
Tom Pageler, Chief Risk Officer and Chief Security Officer at Neustar
It is positive to see the administration prioritizing cybersecurity and adopting an enterprise risk management approach similar to how leading private firms rank, assess and mitigate cyber threats. However, the order as written raises some red flags. First, the order emphasizes that government agencies should be following NIST, but in reality, most should be or already are doing this, so this is not a shift or something new to improve cybersecurity. An even greater concern is that there is no mention of funds being allocated to upgrade the tools and hire the qualified talent in order to execute on this order. As many organizations know, these are some of the biggest challenges in securing infrastructure. So without committed budget to this initiative, it is likely to result in very little change in the security posture of most agencies.
Chris Pierson, General Counsel and Chief Security Officer at Viewpost
Critical to anything regarding cybersecurity is ownership. Each agency head is now on alert that they own cyber as a part of their duties and must govern and appropriate time, budget, and people to tackle this. This is a critical first step as it places the onus on each Agency Head to make sure cyber is part of their mission. The one throat to choke for accountability for federal cybersecurity is now clear.
I also like the executive order focusing on the highest risk critical infrastructure – DIB, energy, and telecom. We cannot defend or protect every sector and it is clear some threats are more impactful, so concentrating on a few is wise.
Finally, the call for consolidated and updated IT is key to modernizing systems, leveraging robust security controls, and minimizing data spread and leakage. He who defends all, defends nothing and protecting access and the security of consolidated data will provide cyber defenders with greater chances of success.
Travis Farral, Director of Security Strategy at Anomali
As noted in the order, the sharing of information facilitates and supports all aspects of cybersecurity risk management – ranging from protecting data to detecting anomalies and incidents. When an organization, including the federal government, operates largely in silos, they miss out on a valuable force multiplier by leveraging resources from other agencies through sharing intelligence and other crucial information. Threat intelligence sharing should serve as the backbone of a strong cybersecurity program, and with more robust cyber threat information sharing protocols in place, U.S. government agencies can better leverage resources to defend against cyberattacks.