Seeking a Cyber Agenda
After being elected as the next U.S. president, Donald Trump put out a statement saying that he would create a national cybersecurity plan within 90 days of taking office on January 20.
“We must defend and protect federal networks and data,” Trump said in a statement. “We operate these networks on behalf of the American people, and they are very important and very sacred.”
While creating that plan, the U.S. Commission on Enhancing National Cybersecurity released a report that commission creator, then-U.S. President Barack Obama, requested to aid the next administration.
“We have the opportunity to change the balance further in our favor in cyberspace—but only if we take additional bold action to do so,” said Obama upon the report’s release in December 2016. “My administration has made considerable progress in this regard over the last eight years. Now it is time for the next administration to take up this charge.”
The commission’s study, Report on Securing and Growing the Digital Economy, recommended that the Trump administration focus on deepening public-private cooperation to protect critical infrastructure and respond to cyber incidents. It also recommended investing in research and development to improve products and technologies, expanding the use of strong authentication to improve identity management, and continuing to prioritize and coordinate cybersecurity efforts across the federal government.
At the same time, another cybersecurity initiative—the Center for Strategic and International Studies (CSIS) Cyber Policy Task Force—also released a report on a comprehensive cybersecurity strategy for the United States.
“The goals of our recommendations for the next administration’s cybersecurity efforts remain the same: to create a secure and stable digital environment that supports continued economic growth while protecting personal freedoms and national security,” the task force said in a statement. “The requirements to achieve these goals also remain the same: central direction and leadership from the White House to create and implement a comprehensive and coordinated approach, since cybersecurity cuts across the mission of many different agencies.”
Both commissions briefed the Trump administration on their recommendations, and in May—just past Trump’s self-imposed 90-day deadline—the president took action on them and signed an executive order laying out his cybersecurity agenda for the next four years.
The order takes the commissions’ and experts’ best ideas, combined with the Trump administration’s priorities, and puts them into action to “keep Americans safe, including in cyberspace,” said Tom Bossert, assistant to the president for homeland security and counterterrorism, in a White House press briefing.
The order is broken down into three sections: securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation.
Networks. Trump’s first priority, Bossert said, is to protect federal networks. To do this, the president will hold agency and department heads accountable for managing cybersecurity risk to their enterprises.
“Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data,” according to the order.
Mike Schultz, president and CEO of Cybernance, a cyber risk governance technology solutions provider, says he supports any initiative that aims to hold agency heads accountable for data breaches and lax cybersecurity.
Schultz was one of the many victims of the U.S. Office of Personnel Management (OPM) data breach in 2015, and explains that he was disappointed with how the government responded to the breach and its failure to fire OPM Director Katherine Archuleta.
If the same kind of breach had happened in the private sector, Schultz says Archuleta would have been fired immediately. He believes the federal government needs to have that same level of accountability for agency heads and those responsible for cybersecurity.
Agency heads will also be held accountable for implementing the National Institute of Standards and Technology (NIST) cybersecurity framework and any subsequent documents NIST may release to manage their agency’s risk.
For too long, “we’ve practiced one thing and preached another,” Bossert said, adding that it’s time for the U.S. government to implement the NIST framework as it’s encouraged the private sector to do for several years.
As part of this effort, agency heads had to submit to the secretary of homeland security and the director of the Office of Management and Budget (OMB) a risk management report detailing the strategic, operational, and budgetary considerations for implementing the NIST framework; any accepted risk, including from unmitigated vulnerabilities; and an action plan to implement the framework.
The OMB director will then use these action plans to craft an overall plan to implement the NIST framework, along with creating a process for addressing future “recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise,” according to the order.
However, Sameer Bhalotra, cofounder and CEO of cybersecurity startup StackRox and cochair of the CSIS task force, says he does not see the requirements for the NIST framework in the federal government as the beginning of an effort to require implementation by private companies.
Bhalotra formerly served as the senior director for cybersecurity on the National Security Council during the Obama administration. He says that one of the things that held the Obama administration back from pushing the framework was the private sector’s fear that the voluntary framework would become a mandatory regulation.
“Under the new administration, there’s a lot less concern that Congress in the near term is going to pass regulatory requirements,” Bhalotra adds. “With that concern behind us, I think the NIST framework is going to be awesome.”
Each agency implementing the NIST framework will also help unify the federal government’s cybersecurity posture, which Bossert explained will now be viewed as a centralized system with each agency doing its part to keep it secure.
The federal government’s network needs to be looked at as an enterprise, instead of viewing departments and agencies individually, to assess where the biggest risks are and increase or decrease resources accordingly, based on that risk posture, Bossert said.
This marks a dramatic cultural shift in the way the federal government views cybersecurity, Schultz says.
“Currently, all federal agencies have their own cybersecurity processes in place to protect their own systems,” he explains. “However, critical information is leaking on a constant basis. Trump’s order mandates that the security of federal agencies has to be controlled on an entire enterprise level—instead of building security protocols for specific systems, all people, processes, and policies within the agency must be analyzed and reported on.”
As part of this initiative, agency heads will be instructed to show preference in their procurement for shared IT services—to the extent permitted by law—for email, cloud, and cybersecurity services.
“I’m not here to promote that the president has created a cybersecure world and a fortress USA,” Bossert said. “But if we don’t move to secured services and shared services, we’re going to be behind the eight ball for a very long time.”
This move was one of the recommendations the CSIS task force made in its report and that Karen Evans, national director of U.S. Cyber Challenge and a cochair of the CSIS task force, says she hoped the administration would act on.
Using resources like cloud services might not result in cost savings for the federal government, but Evans says it would reduce the government’s risk of a breach.
“There is a lot pushing toward that direction and using those technologies for security purposes to reduce risk—not necessarily for cost efficiencies, but actually making use of the newer technologies to be able to reduce risk,” she explains.
This is because outsourcing basic security functions allows organizations to focus their attentions elsewhere, such as on critical or uncommon cyber risks that are the “most consequential to their organization,” the task force report said.
Infrastructure. The second portion of the executive order mandates that the executive branch will use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of U.S. critical infrastructure.
This includes identifying agencies that could support the cybersecurity efforts of critical infrastructure entities at greatest risk of attacks that could result in “catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.
The order also calls for an assessment by the secretaries of energy and homeland security and the director of national intelligence of the United States’ ability to handle a prolonged power outage associated with a significant cyber incident.
Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Commission (NERC), says electric utilities are well positioned to provide input for this report.
“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell says. “I would strongly recommend that the U.S. Department of Energy reach out to NERC, utilities, and trade associations to compile their findings as many lessonslearned have already been documented and acted upon.”
National security. The final section of the executive order focuses on cybersecurity for the nation and highlights the need for the United States to support the “growth and sustainment” of a skilled cybersecurity workforce to maintain an advantage over other nations.
To accomplish this, the order tasks the secretaries of commerce and homeland security, with others, to assess current efforts to educate and train the cybersecurity workforce of the future, report on those efforts, and craft recommendations to support these efforts.
The order also directs the director of national intelligence to review workforce development efforts of America’s cyber peers “to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness.”
Including this initiative on workforce development was an encouraging sign, Harrell says, because massive data breaches and major cyberattacks will continue.
“As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow,” he explains. “Many organizations are desperate to find qualified security professionals and fill key staff positions. Therefore, promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”