Agencies should no longer be on an island when it comes to cybersecurity. The White House is requiring agencies to take an enterprise approach to cyber risk assessment and mitigation, and stop protecting their networks and data as if their efforts don’t impact their fellow departments.
President Donald Trump signed the much anticipated and long-waited executive order refocusing the federal cybersecurity efforts around three broad categories:
Protecting federal networks
Protecting critical infrastructure
Securing the nation through deterrence, international cooperation and the workforce.
In the EO, the White House is telling each agency to provide a risk management report to the Homeland Security Department and the Office of Management and Budget (OMB) within 90 days.
The report should include details of the risk the agency has decided to accept and not accept, the strategic, operational and budget considerations that informed these risk decisions, and the agency’s plan to implement the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology.
“[The NIST framework] is something we’ve asked the private sector to implement, and not forced upon ourselves. From this point forward, the departments and agencies shall practice what we preach and implement that same framework for risk reduction,” said Tom Bossert, the assistant to the President for homeland security and counterterrorism at the White House, on May 11 during the daily White House press briefing in Washington. “The executive order directs all department and agencies heads to continue their key roles, but it also centralizes risk so we view federal IT as one enterprise network. If we don’t do so we will not be able to adequately understand what risks exist and how to mitigate them.”
Bossert said hacks like the one suffered by the Office of Personnel Management where 21.5 million current and retired federal employees had their personal data stolen would get the right amount of attention under this enterprise approach to cyber.
“We need to look at the federal government as an enterprise as well so that we no longer look at OPM and think, ‘you can defend your OPM network with the money commensurate for the OPM responsibility,’” he said. “What we like to do is look at that and say that is a very high, high cost for us to bear and maybe should look at this as an enterprise and put collectively more information into protecting them than we would otherwise put into OPM looking at their relevant importance to the entire enterprise.”
Bossert said it’s not just a budget issue, but part of the risk management decisions all agencies now are expected to make.
Bossert said the White House will look at what risks each agency accepts and which ones are mitigated.
“That mitigation will come through a centralized place,” he said. “We’ve seen other countries, Israel, others, adopt a centralized view of risk management and risk acceptance decisions.”
Bossert said part of the enterprise view of the government is moving to shared services.
The executive order emphasizes the “strong preference” in procurement for shared IT services, including email, cloud and cybersecurity services.
“If we don’t move to shared services, we have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” Bossert said. “I don’t think that is a wise approach. If we don’t move to secure services and shared services, we will be behind the eight-ball for a very long time.”
As part of this move to the cloud and shared services, Bossert said the American Technology Council (ATC), which Trump created May 1 will lead the effort to modernize federal IT.
The director of the ATC will develop a report along with DHS, OMB, the General Services Administration and the Commerce Department within 90 days to describe the legal, policy and budget considerations of transitioning agencies to one or more consolidated network architectures, shared IT services and assess the effects of transitioning all agencies, or a subset of agencies, to shared IT services with respect to cybersecurity.
In all, the EO asks for 14 reports from agencies in anywhere from 45 days to 240 days, including six of them in the next 90 days.
Jake Olcott, the former legal advisor to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security Committee and current vice president at security ratings company BitSight, said in a statement that the EO “recognizes the importance of senior-level accountability and data-driven transparency as critical elements in improving national cybersecurity.”
“This executive order sets up a framework for collecting information about specific cybersecurity problems that the federal government faces today. In the short-term, cybersecurity information will need to be shared with national security staff immediately,” Olcott said. “We need to build world-class IT infrastructure for our government, across the board. If some agencies are not performing highly, we need to determine what is needed to get them up and running. Civilian agencies, for example, continuously struggle with cybersecurity awareness and performance, but they, and their contractors, have access to sensitive data. It’s not just federal agencies. The government’s recognition that contractors could very well be the weak link is a big shift. Now we have to implement this path forward with a proven, data-driven approach in order to bring the government’s infrastructure into the 21st century.”
Amit Yoran, a former director of the U.S.-Computer Emergency Readiness Team (US-CERT) program at DHS and now CEO of Tenable Network Security, echoed Olcott’s comments about accountability, saying changing the federal approach to cyber can only happen is security prioritized at the highest levels of government.
“The single biggest opportunity facing the new administration is modernization, which requires smart investments in security technologies that can help government agencies understand and reduce their cyber risk,” Yoran said in a statement. “As agencies embrace modern IT, including shared cloud services and Internet-enabled devices, it is important to understand the changes in the attack surface and embrace new opportunities to enhance security.”
In addition to federal networks, the EO wants agencies to refocus efforts to helping the private sector protect their critical infrastructure. Among the requirements outlined by the White House is a new task for DHS and Commerce to examine how existing federal policies and practices promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities. Trump wants a report within 90 days.
Trump wants a report within 90 days from the departments of State, Treasury, Defense, Justice, Commerce and Homeland Security as well as the United States Trade Representative, and in coordination with the Director of National Intelligence on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.
Olcott said another key part of the EO that has been overlooked for some time is the focus on DoD contractors and third party vendors to the government.
He said the vendors “often times [are] the weakest link in security. This is an issue widely overlooked by the government and long overdue for White House-level prioritization.”
Trump is asking DoD, DHS, the FBI and ODNI to submit a report within 90 days “on cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks.”
Tom Kellermann, CEO of Strategic Cyber Ventures, said the White House should go even further with cyber oversight.
“The EO represents a historic shift in governance. For too long cybersecurity has been perceived as an IT problem versus a critical risk management issue. This is a proactive shift in policy but this order does not go far enough as it should include a mandate that CISOs be elevated to be equal to CIOs and 20 percent of federal IT spend should be allocated to cybersecurity via OMB,” Kellerman said in a statement. “In addition, the President should establish the Superfund for Cybersecurity from the forfeited assets of cybercriminals and double funding for DoJ and DHS per cybercrime investigations. Lastly, the FCC should be directed to tackle distributed denial of service (DDOS) via authorization to sinkhole command and control.”