A set of attendees at this week’s RSA conference in San Francisco were surveyed by The Cybersecurity 202, a newsletter that is part of The Washington Post in an attempt to gauge their perspectives on whether critical infrastructure is safer today than it was in 2017 when President Trump signed an executive order (EO) pledging to improve critical infrastructure security.
Those surveyed were members of The Network, a body of 100 cybersecurity experts; 78% of the 72 individuals who voted answered no. While today’s headline claims, “Trump's Efforts Failed to Make Critical Infrastructure Safer from Cyberattacks, Experts Say,” Akamai CSO Andy Ellis points out that there is an important caveat.
“The Network’s survey question didn’t ask if the critical infrastructure was more or less safe as a result of the Administration’s executive order, merely if it’s safer today than it was then. I think that’s a critical distinction and important in looking at the issue.”
Part of the 22% of respondents who responded yes, Ellis said, “I think that critical infrastructure is, on the whole, somewhat safer – and I credit the major cloud players, whose work in providing a more secure baseline of browsers, TLS encryption and cloud 'hosting' is instrumental. A few years ago, we didn’t have encryption everywhere; shared infrastructure was not much better than doing it yourself (if at least faster), and browsers didn’t really take the lead on pushing everything forward.”
Recognizing that the web is only a piece of critical infrastructure, Ellis said that it has massive economic value and acknowledged the key distinction that “better” doesn’t mean perfect. “It just means that, on the whole, I’m more optimistic about our future now than I was two years ago. There are still critical infrastructure industries that lag behind on safety and security architectures, so there is more work to do.”
Yet there is the implied thrust of the question and rebuke in asking whether the executive order made critical infrastructure safer, which was not what was asked. “If that had been the question, I probably would have sided with the no camp but not seen it as a stinging rebuke,” Ellis said.
“Government rarely moves that fast! Consider the 2004 NIAC Internet Hardening working group report, of which I was one of the authors. That report is just now starting to pay dividends, despite resulting in DHS directives, and directed funding. But when we look at the BGP security progress starting to be driven by a lot of folks – including Sharon Goldberg at BU – we can trace that impetus back 15 years to government action. That’s just a reality of the levers of government; if an EO had managed to actually improve cybersecurity that much in just two years across all of the industries at play, that would have been an unprecedented success!”