by Alexander Gessen, CCE, EnCE, CISSP
President Donald J. Trump signed and released the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure last Thursday. This latest executive order will lead to several changes in the ways that the U.S. Government – and all its agencies – are expected to handle IT security going forward.
Most of this executive order is specifically targeted at the public sector, but certain components will likely impact the private sector while seeking to better-protect the privacy of the general population.
First and foremost, the EO covers departments and agencies within the Executive Branch of the government, which includes entities like the Department of Treasury, Office of Personnel Management, Food and Drug Administration, and others, as well as providers of critical infrastructure.
This EO takes a more comprehensive and well-rounded approach to current and future IT security needs in the public sector, incorporating elements ranging from raw risk management to system modernization. Regarding the former, the White House appeared clear that the policies and practices related to vulnerability management need to progress to ensure actions such as swift implementation of vendor patches occur.
On the latter aspect, the EO specifically calls out executive agencies and departments for relying upon “antiquated and difficult-to-defend IT,” which has certainly been an unchecked issue for years now. This, the EO stated, will require much stronger coordination between various departments such as those in charge of budget, strategy, and general operations management.
The EO also contains a directive that will expedite the ramping up of this coordination.
The most pressing matter for executive agencies and departments is the requirement to file a report with the Secretary of Homeland Security and the Director of the Office of Management and Budget by August 9th, 2017. The 90-day order calls for a thorough rundown of continued risks, all mitigation policies and actions, and an exhaustive strategy to implement the National Institutes of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.
That document is now officially the gold standard and template for agencies and departments within the Executive Branch, and can be found through the NIST website. Keep in mind the EO also demands all covered agencies comply with the most recent iterations of this document.
Once those documents have been received, the EO gives the Secretary of Homeland Security and Director of the Office of Management and Budget 60 days to evaluate and reconcile the contents therein.
Basically, covered agencies will need to assess where they stand today with respect to risk mitigation and cybersecurity, compare that to the NIST Framework, and the Director and Secretary will then decide what types of resources need to be disbursed to bring the departments up to speed.
Leaders in each agency need to get moving on this report as soon as possible – the more quickly the document is filed, the faster resources will be disbursed to improve security. This is notable, as the EO also stated that agency heads will be held accountable to President Trump when lapses of security take place.
Revamping the architecture
President Trump’s EO requires the Director of the American Technology to produce a report on the modernization needs of the government’s IT systems and opportunities to improve architecture. As a note, sec. 4 (c) defines IT architecture as “the integration and implementation of IT within an agency.”
Copies of that study will be distributed within 90 days to the President, and will be vetted through a coordinated effort with the Secretary of Homeland Security, OMB Director, Administrator of General Services, and the Secretary of Commerce.
This is notable, as it essentially shows that the White House is working to de-silo the ways in which technology has been managed in the executive branch, boosting collaboration with a wider range of leaders. Considering the policy, strategy, and budgetary implications of such a weighty project, this coordinated, centralized approach will likely yield some promising progress in government IT.
The fact that this EO places architecture front-and-center shows that its authors are on the right path, as antiquated systems and poor architecture continue to be massive cybersecurity risks in the government.
Guarding the grid
Another key element of this EO is its coverage of “critical infrastructure” such as power grids and the nation’s policies related to the transparency of major corporations responsible for these and other systems. The first step is to re-evaluate critical infrastructure to identify the ones at greatest risk, piggy-backing on former President Barack Obama’s 2013 Presidential Directive 21, Critical Infrastructure and Resilience.
Leaders from the government’s intelligence, law enforcement, and IT communities will all be involved in this action, effectively taking stock of the nation’s critical infrastructure and deciphering cybersecurity risks therein. That report is due on President Trump’s desk by November 7th, 2017, or 180 days after the EO was released.
This same section demands that a range of executive branch leaders thoroughly evaluate cybersecurity risks facing electric grids, the defense supply chain, and a range of telecommunications, utilities, and other critical infrastructure entities.
Finally, automated attacks were specifically called out, with the EO directing the Secretary of Commerce and Secretary of Homeland Security to produce a report on the threat of botnets to critical infrastructure. All in all, within the next 240 days, this EO will generate an exhaustive rundown of cybersecurity threats to virtually every element of the nation’s critical infrastructure.
Branching out for tighter protection
Section 3 of this EO, titled “Cybersecurity for the Nation,” might be the most progressive and vital of all. It includes the following key directives and measures:
- Encourages “open, interoperable, reliable, and secure internet” and declares this as official White House and executive branch policy.
- Calls for the production of a strategic plan to increase security for private citizens and entities.
- Demands the intelligence community and other entities formulate an engagement plan to increase cybersecurity coordination efforts with other nations.
- Lists several directives to various entities regarding the evaluation of current cybersecurity training and workforce development practices.
That final directive, Sec. 3 (d)(i) through Sec. (d)(iv), should certainly have a massive, positive impact on the nation’s cybersecurity going forward. For example, negligent and untrained employees are among the most common causes of data breach and security failures, and this directive calls for vast improvements following exhaustive evaluations of both this country’s practices and those of foreign nations to get ahead of the curve.
President Trump’s Cybersecurity EO is an unquestionably strong step in the right direction, but it is important to keep in mind here that it is only the first of many that will need to be taken. Again, virtually all of the directives within this document are for investigative and assessment activities. Those are certainly critical and have to come first, but the real test will be how swiftly the government can translate the findings into intelligent, effective action.
The nation’s IT systems, architecture, and infrastructure are in dire need of modernization, as well as a long-term plan to better keep-up with the rapid evolution of cybersecurity risks and technology at large. The EO yields serious hope that the government has become abundantly aware of these needs.
However, officials will need to remain highly vigilant and disciplined throughout the next 240 days of examination activity, as well as when the time comes to turn ideas into reality.
Alexander Gessen is HAYSTACKID’s National Director of Forensics