After months of waiting and leaked drafts, U.S. President Donald Trump signed a cybersecurity executive order yesterday that aims to strengthen U.S. government networks and critical infrastructure.
The executive order is broken into three parts—securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation—and is an effort to change the course of the U.S. government’s cyber posture, said Tom Bossert, White House homeland security advisor, in a press briefing on the order.
A key element of the executive order is looking at the U.S. government’s cybersecurity as a whole—not as 190 separate agencies, Bossert explained.
“We need to look at the federal government as an enterprise, so that we no longer look at the Office of Personnel Management (OPM) and think, ‘Well, you can defend your OPM network with the money commensurate for the OPM responsibility,’” he said. “OPM, as you know, had the crown jewel, so to speak, of our information and all of our background and security clearances.
“What we’d like to do is look at that and say, ‘That is a very high risk, high cost for us to bear. Maybe we should look at this as an enterprise and put collectively more information in protecting them than we would otherwise put into OPM looking at their relevant importance to the entire government.”
“The first priority for the president and for our federal government is protecting our federal networks,” Bossert explained. “I think it’s important to start by explaining that we operate those federal networks on behalf of the American people, and they often contain the American people’s information and data, so not defending them is no longer an option. We’ve seen past hacks and past efforts that have succeeded, and we need to do everything we can to prevent that from happening in the future.”
As part of that effort, the executive order said the president will hold executive department and agency heads accountable for managing cybersecurity risk to their enterprises. Under the order, they will implement risk management measures “commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”
Anthony J. Ferrante, senior managing director in the Global Risk & Investigations Practice at FTI Consulting and former director for cyber incident response at the National Security Council, says he’s glad to see this change in the federal government’s posture.
“In the years following the OPM attack, it is nice to see that the administration recognizes that it operates federal networks on behalf of the American people, and it is a strong move to say that the president is going to hold the heads of departments and agencies accountable for the cybersecurity of their networks,” Ferrante adds.
Additionally, agency and department heads are required to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage their respective organization’s risk. Each agency has been instructed to provide a risk management report to the secretary of the Department of Homeland Security and the director of the Office of Management and Budget (OMB) within 90 days.
“We have practiced one thing and preached another,” Bossert said. “It’s time for us now…to implement the NIST framework. It’s a risk-reduction framework.”
Requiring government agencies to adopt the NIST framework—like the private sector has been encouraged to do—is a positive step, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC).
“The acknowledgement of risk acceptance is significant,” Harrell explains. “Within all IT systems, we have the ability to accept, avoid, mitigate, or transfer risk.”
Also part of the executive order’s plan to modernize government IT and manage risk is a directive that agency heads show preference in their procurement for shared IT services, including e-mail, cloud, and cybersecurity services.
“We have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” Bossert said. “I don’t think that that’s a wise approach.”
Utilizing shared IT services does come with risk, but it will put the federal government in a better position to manage those risks, Bossert added.
“I’m not here to promote for you that the president has signed an executive order and created a cybersecure world in a fortress USA,” he said. “That’s not the answer. But if we don’t move to secure services and shared services, we’re going to be behind the eight ball for a very long time.”
This is a positive step, says Will Ackerly, chief technology officer at Virtru and former lead security architect for the National Security Agency’s (NSA’s) first cross-domain cloud.
“It’s positive if managed well. The risk and threat change with on-premise to cloud,” Ackerly explains. “When you move to Google, you now all of a sudden have many security engineers online on a real-time basis available to essentially protect your data. The trade is, you don’t have the same kind of direct control or insight…into how your data is being accessed.”
Agencies and departments will also have to avoid creating a monoculture, or choosing the same platform across the board, because if there is a problem with the technology or an attack on it, there could be a “massive issue,” Ackerly adds.
Overall, however, utilizing shared services is a step in the right direction as it will free agencies up to “focus on what they’re good at—their core mission—instead of having to figure out over and over the same IT programs,” he says.
The government’s ability to do this successfully, however, will depend on its ability to secure funding and change its purchasing constraints around technology—which may require Congressional action.
“The majority of [these agencies’] budget is spent on legacy systems,” says John Dickson, CISSP, principal at Denim Group and former U.S. Air Force officer who served in the Air Force Information Warfare Center. “If you are spending a lot of money, and 75 percent of that is to maintain what you have, you simply are not going to be able to put a dint in this problem.”
Another area that gives some experts pause, however, is that the agency risk management reports may be classified in full—or in part—and not available to the public.
“Particularly when you’re talking about trying to manage risk across many, many agencies, that requires good information sharing,” Ackerly adds. “I think it can be a lot harder when there isn’t transparency, at least at the core level.”
He also raised concerns about the number of reports and assessments the executive order has asked government officials to compile to analyze the federal government’s cybersecurity posture and path forward.
“A lot of these reports end up sitting on shelves; a lot of work is going to go into producing these things and updating them,” Ackerly says, adding that it might have been a better idea to create a position of a cybersecurity czar to manage this process so there’s “clear central authority that coordinates actions that the CISOs are accountable to…I worry that this might be another paper exercise.”
The second portion of the executive order focuses on critical infrastructure cybersecurity and calls for reports to identify ways that agencies could support the cybersecurity efforts of critical infrastructure entities that are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.
In particular, the order asks for the secretaries of energy and homeland security, with the director of national intelligence and local authorities, to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident.
Harrell says electric utilities are well positioned to aid the government in this effort and provide a report to the president.
“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell explains. “I would strongly recommend that the Department of Energy reach out to NERC, utilities, and industry trade associations to compile their findings as many lessons-learned have already been documented and acted upon.”
The executive order also calls for the secretaries of commerce and homeland security to identify and promote action by stakeholders to improve the resilience of the telecommunications industry to “dramatically” reduce the number of botnet attacks in the United States.
This will require cooperation from the private sector, particularly from Sprint, AT&T, Verizon, and other carriers, Dickson says. “All the people that are essentially providing Internet and phone connectivity, because there’s certain things they can do in real-time to make it harder for those types of attacks to propagate.”
Not to be ignored, however, are potential strides the government could make with device manufacturers, Ackerly says, who could be encouraged to create devices that are inherently more secure and less likely to be compromised and part of a botnet.
One action Ackerly says he thinks would be a risky choice for the government would be to encourage active attacks to prevent botnet attacks.
“The military has authority to do active attacks,” he explains. “I don’t think we want to encourage companies to break the law and respond directly to take down systems that are not their own that are trying to interfere with their services.”
The final section of the executive order deals with ensuring that the Internet remains valuable for future generations by deterring cyberattacks and investing in the nation’s future workforce.
The order calls for the secretaries of state, treasury, defense, commerce, homeland security, and the attorney general, amongst others, to submit a report to the president on the nation’s strategic options for deterring adversaries and protecting Americans from cyber threats. It also requires the secretaries to document a strategy for international cooperation in cybersecurity.
“The Russians are not our only adversary on the Internet, and the Russians are not the only people that operate in a negative way on the Internet,” Bossert said. “The Russians, the Chinese, the Iranians, other nation states are motivated to use cyber capacity and cyber tools to attack our people and our governments and their data.
“That’s something we can no longer abide. We need to establish the rules of the road for proper behavior on the Internet, but we also then need to deter those who don’t want to abide by those rules,” he said.
The executive order also calls for an assessment of the scope of current efforts to educate and train the American cybersecurity workforce of the future to maintain the United States’ competitive advantage.
Harrell says he found this inclusion in the executive order encouraging. “In a world of constant cyberattacks and massive data breaches, cybersecurity is more important today than ever before,” he adds. “As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow. Many organizations are desperate to find qualified security professionals and fill key staff positions. Promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”