US President Donald Trump has signed the long-delayed executive order on cybersecurity.
The EO, which has been on hold since January while agency heads weighed in on what it should contain, focuses on both the antiquated network security of federal agencies and critical infrastructure—and echoes measures implemented by both President George W Bush and President Obama.
Most notably, it mandates that the entire apparatus of the federal government move to a shared, consolidated network architecture and IT infrastructure, including email and cloud services.
As a first step, each federal department must implement NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which creates standards for cybersecurity practices across various government agencies. Departments must also submit a risk assessment report containing information on what known but unmitigated vulnerabilities exist in each agency, unmet budgetary needs for improving and modernizing networks and preferences for modernized IT choices. The American Technology Council will then compile a report to be delivered to the president within the next three months that lays out a roadmap—including timelines and milestones—for transitioning to a common infrastructure.
That will of course be easier said than done. "Today's order on its surface seems like a good first step, but in practice it may take a very long time for it to bear any edible fruit,” said Richard Henderson, Global Security Strategist, Absolute, via email. “In regards to the first part of the order: The aftermath of the massive Office of Personnel Management (OPM) breach taught us that many agencies inside the massive machinery of federal government are archaic, and held together by incredibly hardworking people on shoestring budgets.”
A shared services model might be the way forward, but Henderson warned that it can be difficult for a centralized agency to predict the unique needs of the agencies under its purview. “That can lead to bloated budgets, systems left operating that are vulnerable to breach or denial of service, or agencies pushing back on the agency managing the shared services model,” he added.
On the critical infrastructure front, the order tasks the Department of Homeland Security (DHS) to report to the White House as to the current state of cybersecurity for these systems—the first report is due in six months, and will be refreshed on an annual basis. Included will be an assessment of the potential for “catastrophic” effects on regional or national public health and safety, economic security or national security stemming from an attack, along with recommendations for hardening systems going forward. The EO calls out threats to the energy grid specifically, and mandates a separate report on what the effects of a prolonged power outage would be.
This is an absolute must, given the aging IT used to run most of this infrastructure. “Critical infrastructure is the backbone of our entire way of life today,” said Henderson. “Virtually every transaction, every piece of communication, and the world as we know it now... it is all dependent on telecommunications networks and the electric grid. Society would be thrown into absolute bedlam if we weren't able to turn on the lights, keep our food chilled, or conduct commerce.”
The order also lays out goals for a comprehensive cyber-deterrence strategy, including goals to build a more cooperative framework with US allies, efforts to help secure private-sector networks and the creation of a targeted effort to “educate and train the American cybersecurity workforce of the future.”
“It’s difficult for the government to maintain a technically sophisticated workforce, especially with the lure of Silicon Valley,” said Kevin Davis, Splunk VP of public sector, via email. “Both sectors are strapped for qualified cyber-talent that can protect our respective enterprises. With that, we should expect to see funding for higher ed school programs to train new cyber-recruits to build up a new cadre of talent that serves both public/private sector. The role of the security analyst has never been more important as government seeks to detect and respond to threats quicker.”
Overall, the EO stresses the importance of information-sharing with the private sector and across a myriad of agencies.
Jake Olcott, former legal advisor to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security Committee and current VP at security ratings and risk assessment company BitSight, said that he’s hopeful that the initiatives being put forth will help to bring the United States into the 21st century when it comes to protecting data and systems.
“By focusing on executive-level accountability, securing the third-party ecosystem and developing a market-based approach to securing critical infrastructure, the executive order brings some of the best initiatives from the private sector and applies them to the government,” he said via email.