This month marks the first anniversary of President Trump signing his cyber executive order (EO), formally titled the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With the anniversary of the May 11, 2017 signing upon us, MeriTalk spoke with industry experts about the EO and the state of cybersecurity in the Federal government.
With the cyber EO being a year old, it might be time to revisit exactly what the Trump administration focused on. First, the cyber EO stresses the importance of protecting data held within Federal networks, and holding agency heads accountable for implementing risk management measures. To up the accountability within the Federal government, the EO mandates multiple new reports from agency executives to document their progress in meeting the EO’s goals and requirements. The order also mandates that agencies use the previously voluntary NIST cybersecurity framework. To align with the larger Federal modernization push, the EO focused on modernizing the Federal IT systems–with a preference for shared services.
Grading the EO
When asked to give the cyber EO a grade, Chris Townsend, VP-federal for Symantec, said that while it was too soon to do so, he gave the administration an “A” for putting cybersecurity at the top of its agenda.
“The changes outlined in the EO and later in the Report on Federal IT Modernization reflect a new vision that understands cybersecurity as an integral component of an agency’s IT strategy, not something to be addressed in isolation or as simply another compliance exercise,” he said. “That’s a big change, and it wasn’t going to happen in a year.”
The EO emphasizes the importance of Federal agencies adopting the NIST Cybersecurity Framework–which is an ongoing process. Both Townsend and Ralph Kahn, VP-federal for Tanium, stressed the importance of adoption for improving agencies’ cyber defenses. However, both had suggestions to improve the framework.
“The NIST Framework is giving Federal agencies a common language and a baseline that will allow them to compare metrics and measurements, which was not possible before,” Kahn said. “NIST can make the framework even more effective by emphasizing the importance of real-time inventories and clarifying how agencies can track and improve the speed with which they respond to threats.”
Townsend agreed that the framework was helpful, but worried that mandating adoption of it would lessen it’s the framework’s efficacy.
“Given the complexity of today’s enterprises, risk management should be an integral component of any cybersecurity strategy,” he said. “That is why the NIST framework is a linchpin of the cyber EO. If there is any pitfall with the framework, it is that, now being a mandate, it comes to be seen as an exercise in compliance. If taken seriously, it provides an effective way for organizations to assess and improve their cyber posture.”
Cybersecurity threats are constantly growing and changing. Two areas that are coming under increased cyber threats are the critical infrastructure sectors and election technology. However, as the Federal government shifts its focus to critical infrastructure and election technology, is there a risk that Feds are paying less attention to other cyber weaknesses?
“Security concerns around election technology and critical infrastructure should not be viewed apart from more traditional IT cyber issues,” Townsend said. “Across the board, cyber threats are growing in number and increasing in sophistication–and so require a more integrated, strategic approach. The increased focus on election technology and critical infrastructure reflect a growing awareness of the vulnerability of these systems.”
Kahn said that there’s no such thing as having “done enough” when it comes to cyber risk management because it’s “not about checking off a box.”
“Every organization, whether private or public, should be focusing on active risk management, continually understanding their risk and improving the speed at which they respond to threats,” Kahn explained.
In addition to dealing with new cybersecurity threats, the United States is also faced with increased offensive activity from foreign adversaries–most notably Russia, China, and North Korea. Both Kahn and Townsend had advice for Feds that are working to improve the U.S.’s cybersecurity posture.
“It comes down to speed,” Kahn said. “Adversaries are not going to back down. The more we drive down the time it takes to identify threats and get them out of the system, the more secure our government will be.”
Townsend suggested that agencies need to make sure they are focusing on the forest–not the trees–when it comes to cybersecurity.
“The easy answer would be to buy newer and better technology, of which there is plenty,” he said. “But that is not enough. Rather than thinking in terms of point solutions, agencies need to step back and look at their enterprise as a whole–from the data center to the cloud, and from the network perimeter to the application and data levels, wherever they might reside. What’s needed is an integrated platform approach that takes into account this evolving network architecture, and leverages machine learning and related technologies that enable automation, and boosts both cyber defense and detection.”
Private Sector Playing a Role
Both executives believe that the private sector has a great deal to offer Feds.
“The private sector will continue to drive innovation in cyber solutions, developing new tools and techniques in response to new and emerging threats,” Townsend said. “The challenge is to create a collaborative environment in which our knowledge informs the development of cyber policies and strategies–and in which our energies are aligned with the Federal government’s key priorities.”
Kahn had praise for how the administration has included the private sector in the process thus far.
“The private sector is vital to helping the government secure its networks, and this administration has done a good job of consistently seeking the private sector’s input on Federal cyber policies,” he said. “The government should continually make it easier for agencies to adopt [private sector] best-in-class technology that provides them the real-time visibility and speed they need to stay secure.”