President Trump just signed a new cybersecurity Executive Order that has important implications, not only for federal agencies, but for Critical Infrastructures as well. In addition to noting that it is “the policy of the United States to manage cybersecurity risk as an executive branch enterprise”, the order states that, “Free and secure use of cyberspace is essential to advancing U.S. national interests. The Internet is a vital national resource. Cyberspace must be an environment that fosters efficiency, innovation, communication, and economic prosperity without disruption, fraud, theft, or invasion of privacy.”
It goes on to state that American government agencies and critical infrastructure “are currently vulnerable to attacks from both state and non-state actors” and that the Federal Government has a responsibility to “protect both privately and publicly operated critical networks and infrastructure.” To do this, it orders a top-down review of critical U.S. cyber vulnerabilities and cyber vulnerabilities within the next 60 days, followed by an analysis of US cyber capabilities to address risks.
1. It strengthens the accountability of Department & Agency leadership for cybersecurity breaches.
Events of just the past year make it clear that change needs to happen, and it needs to happen from the top down. According to White House Cybersecurity Coordinator Robert Joyce, “Cybersecurity isn’t the domain of the IT department or even the chief information security officer. That leadership from the top is what is going to make us safe.”
Security does indeed need to be an executive-level issue. When leaders make cybersecurity a top priority, it is much easier to get everyone in the organization on board. Of course, accountability requires information. To affect change, leaders will need to rely on the information collected through the thorough analysis of our cyber assets, defenses, mitigations, and recovery mechanisms ordered in this new E.O. This will allow them to develop a strategic and executable plan with their security experts, and establish milestones to ensure that it stays on track.
The challenge will be in making this happen with the resources and expertise available within the Government. As I have said before, the top priority of each Department needs to be the area they’re responsible for (“we count on the Department of Interior to be really good at protecting the bison and the trees. We can’t pretend that every department will be good enough to stop Russian GRU and Chinese MSS.”)
Which is why the government needs to establish government cybersecurity service providers with appropriate capabilities and clearances that can establish and deploy a high-end security strategy, and provide essential security services for all Departments and Agencies. Government Service Providers would also enable easy access to private sector security services when Departments and Agencies need them quickly. Such a strategy would establish critical mass of high-end security people and services to be used by Departments and Agencies throughout the government, enabling Department heads to focus on their core missions while still being accountable for enlisting optimal security services for their organizations.
2. It seeks to assure the security of the nation’s critical infrastructure, including the ability to recover from a serious breach or incident.
Our nation’s critical infrastructure is increasingly at-risk due to increased attack surfaces and demonstrably increased threats. This makes it imperative that it can resist threats by design. This not only includes being protected with advanced security technologies to mitigate attacks, but also being resilient should an attack manage to bypass those safeguards.
Security is more than just about deploying a technology. To ensure protection and resiliency, it is essential that we begin by engineering as much risk as possible out of our networks. Too often, we forget to address Consequence - the third dimension of risk (Threat, Vulnerability, Consequence). So in additional to technical solutions that address Threat and Vulnerability, we need to use Consequence-based engineering in which potential bad consequences are minimized during architectural design to minimize the reliance on technology alone.
Since much of our critical infrastructure lies in the hands of private industry, it is also essential that we develop public-private pilots that allow different teams to join forces, to create ‘muscle memory’ by working together. This can help ensure that appropriate protections and counter-measures are available, and guarantee operational readiness in the event of an attack or breach.
3. It explores new approaches for securing networks.
In addition to a vulnerability and adversaries assessment, this Executive Order also requires that a report be prepared that outlines “economic and other incentives to induce private sector owners and operators of the Nation’s critical infrastructure to maximize protective measures; invest in cyber enterprise risk management tools and services; and adopt best practices with respect to processes and technologies necessary for the increased sharing of and response to real-time cyber threat information.”
Recent security breaches have made it clear that no one is immune from concerted efforts to breach cyber systems or access certain data, whether through efforts by foreign entities to break into our networks, or by determined insiders who manage to collect and exfiltrate sensitive information.
The E.O. taps the American Technology Council to explore some ideas that surfaced in the latter part of 2016 that would change the way Federal Departments and Agencies obtain and operate their IT, to include, importantly, cybersecurity services.
Though the details have yet to be revealed, the initiative to modernize our Federal networks and systems is welcome news. And proper incentives will enable enlistment of the private sector to design secure and resilient systems, assist with hardening Federal networks with purposeful engineering, collect and correlate threat intelligence across public and private agencies through integrated security tools and shared services, and develop coordinated and automated responses to threats regardless of where they occur. The American private sector has much to offer in helping the professionals in the US government get their networks and systems to the place they need to be.
For example, they could help develop a national anti-DoS capability to protect Federal networks and critical infrastructure from nation states and criminal actors who attempt to take down our cyber infrastructure using denial of service attacks. Service providers, carriers, security vendors, and even many government agencies already have the technologies and techniques in place to solve this problem. The problem is, as with other threats, we are currently addressing this problem in an uncoordinated manner. We need a concerted effort to create a cohesive, integrated, and automated system to protect ourselves from this and similar threats.
The future of our nation depends on our ability to embrace the new digital economy. Along with opportunities for growth and prosperity, this also brings new risks and challenges. From what we have seen, the goals of this new Executive Order of cybersecurity are an important first step. The challenge, of course, will be in the details, and on the degree that innovative, automated, future-ready solutions are recognized and embraced.