Don Maclean is the chief cybersecurity technologist at DLT Solutions.
With cyber breaches and ransomware threats such as the recent WannaCry attack a constant concern, government agencies must attack cybersecurity problems head on. President Donald Trump’s cybersecurity executive order (EO), formally titled the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, provides an outline of the administration’s priorities for protecting federal IT systems and data. It includes some positive initiatives, but it also omits or underemphasizes some important efforts that would improve the nation’s long-term cybersecurity posture.
What did the EO get right?
The need to modernize federal IT — reinforced by the introduction of the Modernizing Government Technology Act on Capitol Hill and Trump’s proposed fiscal 2018 federal budget — is widely accepted. The EO correctly recognizes that modernization must be an ongoing process and not a one-time effort. Agencies need the ability to rapidly adopt modern cybersecurity tools, but doing so will require both budget and institutional supports.
Another positive aspect is that the EO requires budget analyses from agency heads to assess modernization from a financial standpoint. It also instructs agency heads to take advantage of economies of scale from shared services, particularly cloud services. While the focus on modernization isn’t the only positive facet of the EO, it could be the most significant.
The EO requires agencies to align their cybersecurity efforts to the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), which may result in unproductive outcomes. According to NIST, the framework seeks to use “business drivers to guide cybersecurity activities and [considers] cybersecurity risks as part of the organization’s risk management processes.”
While the motive behind this effort is well intentioned, by requiring that agencies adhere to additional reporting measures, the impact may be to simply generate additional paperwork and duplicative reporting. The information required by the one-off reports should already be available, so an additional report is unlikely to offer new insight. The CSF control set closely parallels the control regime already in place under NIST 800-53 Rev. 4, so adoption of the CSF will do little to improve security, while generating a large amount of new documentation — a boon to those who write it, but a distraction from the hard-core business of implementing technology to enhance security.
The EO also clearly states that agency heads will be held accountable for their cybersecurity posture. While this is a step in the right direction, there are two major issues with this accountability structure.
First, the EO allows agencies to assess their own risk-management status. In practice, this means that agencies can hire a company to assess their own agency, creating a situation where contractors may feel compelled to offer a positive review.
Contracting assessments through a centralized agency, such as the Homeland Security Department (DHS), the Government Accountability Office (GAO) or Office of Management and Budget (OMB), could address this, yielding more neutral reviews and reliable results.
Second, although the EO states that agency heads will be held accountable for their cybersecurity posture, it does not specify the consequences of inadequate results. While agency heads might be subject to termination for obvious violations, security officers and staff should not be immune to termination, demotion, or salary reduction. Contracting staff typically run security operations, so contracts should include financial penalties for clear neglect or violation of requisite security measures.
Conversely, it provides no incentive for excellence. A bonus structure for high performance in agencies — and accountability for a failure to comply — could improve security across government.
Admittedly, it may be difficult to implement a bonus system for government employees, as there is often no extra budget or time off available. The government, however, often uses systems integrators to manage cybersecurity programs. It is quite feasible to include an incentive program into contracts with such companies.
As a broad mandate, the EO is a step in the right direction when it comes to improving security, ensuring accountability and supporting ongoing IT modernization.
Nevertheless, some elements, such as requiring alignment with the NIST Cybersecurity Framework, could simply result in more paperwork and bureaucracy, both of which are concerns for agencies already. It also fails to mandate independent security assessment, offers no positive incentive for excellence, and no consequences for an insufficient security posture.
What impact do you expect the EO to have on your agency?
Agencies dodge WannaCry bullet, but legacy IT still jeopardizes networks