US Executive Order on Cyber Security (with industry reactions)
US President Trump yesterday signed his long-anticipated Executive Order on cyber security. Its sections address "Cybersecurity of Federal Networks," "Cybersecurity of Critical Infrastructure," and "Cybersecurity for the Nation." It's a Federal-Government-centric order whose recurring themes are IT modernization and rationalization (including more shared services and use of the cloud), an emphasis on resilience, and an assertion that henceforth agency heads will be held accountable for the security of the organizations they lead. It mandates use of the NIST Framework across the Federal Government and places a strong emphasis on implementing sound risk management practices. It also calls for increased cyber deterrent capability.
Many of the Executive Order's elements are relatively uncontroversial and represent continuity more than they do a break with past policy (or past aspirations). Reaction has been of course mixed but on balance positive. The tepid reviews come from those who see the document as more aspirational than operational, who regret its concentration on Federal agencies as opposed to the private sector, and who deplore its call for self-study and reports back (this last is the concern of critics like Senator McCain, who find themselves impatient with studies and wishing for reform and results). The endorsement of the NIST Framework and the document's sensible tone have found favor with observers who like the Executive Order and who believe official accountability a real possibility.
We heard from a number of industry experts who shared their observations on the Executive Order. The Information Technology and Innovation Foundation (ITIF) regretted the document's Government-centric tone and content. They liked the call for IT modernization, but said, "We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats." HITRUST was more positive, expressing approval of "potential private-sector infrastructure incentives and workforce development" as well as the plan's emphasis on risk management.
James Carder, CISO of LogRhythm and Vice President of LogRhythm Labs approves of the focus on modernized IT architectures and use of IT shared services. He also likes what he sees about agency accountability. "I am hopeful this executive order will ensure each organization is accountable for implementing the cybersecurity controls necessary to protect our country from threats locally and abroad. The new order outlines things we've said before; however in the past, the accountability and funding weren’t there to see it become a reality.”
John Bambenek, Threat Research Manager, Fidelis Cybersecurity, is among those who see real possibility in agency accountability. "The reality is that there have been many cybersecurity reports by the federal government that all basically say the same thing. The problem isn’t a direction, it’s implementation and accountability. With agency heads jobs’ on the line, they now have an incentive to do things that they should have been doing all along, like risk management of their critical assets and information." He also notes that shared services, while appealing from an economic point-of-view, need to be employed in such a way as to reduce the possibility of introducing single points of failure.
Chris Pierson, the General Counsel and Chief Security Officer for payments company Viewpost, is also a fan of accountability. Critical to anything regarding cybersecurity is ownership," he said. "Each agency head is now on alert that they own cyber as a part of their duties and must govern and appropriate time, budget, and people to tackle this," Pierson said. "This is a critical first step as it places the onus on each Agency Head to make sure cyber is part of their mission. The one throat to choke for accountability for federal cybersecurity is now clear." He also approves of the focus on critical infrastructure, principally the Defense Industrial Base, energy, and telecommunications.
Michael Patterson, CEO of Plixer, thinks there's one lacuna in the "laundry list of improvements" the Executive Order mandates. "[It] needs to go further and require government agencies to have forensic incident response systems in place that can remediate cyber challenges as quickly as possible."
John Kronick, Director ATG Cybersecurity Solutions for Stratiform, notes that the Executive Order will prompt a flurry of reports, especially given the aggressive timeline it's giving agencies. The NIST Cybersecurity Framework has been around since 2014, "but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use still under development." He also notes that identifying risks and mitigating them are, of course, two different things.
Mike Shultz, CEO of Cybernance, is among those who see a commendable continuity in the Executive Order's mandates. He approves of President Trump's requirement that agencies use the NIST Framework the Government developed under President Obama. He also sees commendable change. “This executive order marks a dramatic cultural shift in way the federal government is looking at cyber security. Currently, all federal agencies have their own cybersecurity processes in place to protect their own systems. However, critical information is leaking on a constant basis. Trump’s order mandates that the security of federal agencies has to be controlled on an entire enterprise level—instead of building security protocols for specific systems, all people, processes, and policies within the agency must be analyzed and reported on." (We note that Cybernance hasn't wasted much time in offering to help those agencies. It's announced that the Cybernance Platform is available to support compliance with the Executive Order.)
Dana Simberkoff, chief compliance and risk officer at AvePoint, thinks the Executive Order will have a useful collateral effect on the private sector. “The executive order will not only provide an opportunity for agencies to assess and improve their internal cyber programs, but also to look at investments in education and the corporate space to empower a future generation to be privacy and security aware, and to encourage companies to ramp up their investments in technologies to fortify our national and corporate security posture."
Will Ackerly, Co-founder and CTO of Virtru, thinks much of the Executive Order is on the right track, especially its call for cooperation among agencies and nations, and its call for resilience and rationalization of Federal IT systems. He would have liked to see more specifics (including some dealing with encryption), however, and he would have preferred the Order to address, directly, intellectual property protection. And civil liberties shouldn't be overlooked, either. "Ultimately, while cybersecurity is critical to our national security, it is imperative that we keep civil liberties top of mind. Each agency's CISO should comply to the highest standards of individual and business privacy to ensure that we're not compromising the rights of our civilians or government employees to communicate freely and without fear of unwarranted surveillance."
Derek Gabbard, CEO of FourV, likes the Executive Order's ambitious timeline. "For a report on status only 60 days is aggressive but not insane. Department heads may find they would like more time so they can work on the report while addressing any glaring oversights, but there’s really not time for that. If the departments have been implementing and following Continuing Diagnostics and Mitigation (CDM) this reporting should not be a heavy lift." He thought the emphasis on botnets and distributed attacks oddly out-of-place, and read it as "a directive to the heads of several departments and agencies authorizing them to get involved in protecting critical infrastructure (specifically, the Internet and other communications networks). This section is short, but implies the potential to get government involved in protection of privately-owned critical infrastructure in a way which has not been done previously. I’d watch what gets done under in the name of this section closely, as this could dramatically change the way privately owned systems are operated."
Gregg Smith, CEO of Silent Circle liked a lot of what he saw, especially the emphasis on holding agency heads accountable for their organization's cyber security. "As is stands today, each agency seems to be going about the management of cybersecurity risk in their own way, which is wasteful given that similar threats and vulnerabilities effect each agency." He's not sure how realistic, however, it is to expect Government to take effective actions within ninety days, but he does like the emphasis on critical infrastructure and the call for cooperation with international allies. He was disappointed by the way in which mobile devices were not addressed. The pervasive use of mobile technology across the Government makes "the non-mention a gaping hole."
Jess Richter, Chief Revenue Officer of DarkLight, thinks the Executive Order's insistence on accountability is likely to be "the most impactful, as it’s what previous EO’s lacked." He also likes the requirement that OMB and DHS have sixty days to report on cyber security audits of each Department and agency. He calls that "an absolute no-brainer," and says it should have been done years ago. He thinks the talk about technical resilience is more about driving interagency collaboration than anything else, but he does think the timeline "laughable." As he puts it, “Attention hackers: you have up to one year before the agency’s plans will become public for how they intend to protect against automated attacks.”
Steve Grobman, Senior Vice President and Chief Technology Officer, McAfee, thinks that the Administration is right to make security of Federal systems and networks a priority. "Getting the government’s own cyber house in order is job one, and holding agency and department heads accountable is key." He sees an analogy with corporate operations—CEOs might not be cybersecurity experts, but they're ultimately responsible for risk mitigation. He also approves of the emphasis the Executive Order places on the NIST Framework, the directive to work collaboratively, and the market the Order puts down for IT modernization.
Jonathan Sander, CTO at STEALTHbits Technologies, notes the Executive Order contains "exactly" what it was expected to. He approves of the emphasis on risk management, and thinks two areas singled out for special attention are particularly interesting: "resilience against automated, distributed threats and incident response in the electricity supply." He advises watching, as the required reports come in, "how concrete and thorough" their recommendations prove to be.
Chris Doman, a security researcher for threat intelligence specialist AlienVault, saw the Executive Order as representing long continuity, with similarities going back to reviews the US Senate undertook in the late 1990s. While he would summarize it as "mostly a to-do list of reviews to be completed," he does welcome the strong emphasis on accountability. This, he thinks, contrasts strongly with what he sees as a lack of accountability in 2015' OPM breach.