While President Biden’s executive order (EO) on improving the nation’s cybersecurity and the follow-on guidance from the White House Office of Management and Budget (OMB) represent critical steps forward in protecting the U.S. against the increasing volume and dangers of cyberattacks, Federal agency officials said during an ATARC webinar on November 2 that the directives also present challenges that may require flexibility in their execution.
These cyber EO directives, the officials agreed, are unquestionably setting the right path for creating more robust cybersecurity to protect the nation. At the execution level, however, challenges remain, they said.
One problem, officials said, is accounting for the lack of ubiquitous processes among Federal agencies to handle data – specifically event data such as app logs, system logs, security logs, network devices, services events, and network traffic.
According to Paul Blahusch, the chief information security officer (CISO) for the U.S. Department of Labor (DoL), that becomes a challenge because the rigid guidelines of the EO take away power from individual agencies to decide what makes sense for their organization.
“What works for one agency might not work for another based on how and why they use and collect data. But with the firm nature of these directives, we can’t decide what we would like to hold off on or prioritize,” Blahusch said. “This will be a challenge for us at DoL because I suspect with the resources that we have at our disposal, we will not be able to meet all the directives at their designated times.”
Federal officials also emphasized that managing the rate of event data while meeting guidelines from the EO and OMB can not only be technically challenging, but also challenging to handle in a cost-effective manner.
“There is no funding behind these directives,” Ralph Mosios, CISO for the Federal Housing Finance Agency, said. Balancing the EO directives while meeting budgetary demands presents a challenge, he added.
FHFA officials have cited recent cyberattacks to explain to agency leaders why the organization needs more funding to meet current demands for cybersecurity, Mosios said.
Allison McCall, CIO for the National Technical Information Service, said her team has prioritized its cybersecurity efforts to decide what needs the most attention for their agency. But it continues to balance those priorities with development and management work that still needs to get done, thus creating budget challenges.
“This is a challenge. And we need funding to work operationally and meet directives within [these guidelines] and all that we are being asked to accomplish. Because it is important,” McCall said.