Earlier this month the Trump administration made an effort to centralize an incredibly fractured federal government IT infrastructure when the president signed his executive order on "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure." With this order, the federal government will be following the same rules of engagement for protecting its IT and network infrastructure as private companies. Ironically, the U.S. government established the National Institute of Standards and Technology (NIST) cybersecurity framework in 2013 to protect private business organizations but never followed it themselves.
So now, more than 190 federal agencies who previously all have been running disparate cybersecurity programs will have the opportunity to create a unified framework that will not only help protect the nation’s critical data and information resources but modernize some agencies that have IT systems that are between 30 to 50 years old. For example, the Commerce, Defense, and Treasury departments, along with HHS and VA report using 1980s and 1990s Microsoft operating systems that stopped being supported by the vendor more than a decade ago, and many other departments are using unsupported operating systems and components.
Despite efforts and mandates addressing cybersecurity by recent past presidents, it was clear that past attempts to modernize and secure federal agency and department IT systems and data have not been successful nor well-coordinated. According to a recent survey, nearly all federal respondents consider themselves vulnerable to data breaches, and cite problems with security staffing and spending, and all this occurring at a time when nation-state cyber hacking and cyber warfare activities are being directed at federal agencies and critical infrastructure targets in the United States at record levels.
Leading security and risk experts are saying this is the most aggressive executive order related to cybersecurity ever presented and is quite specific with regards to responsibility and accountability in addressing the challenges identified in the order. Some of the particulars include requiring that all federal government agencies and departments implement the NIST Cybersecurity Framework (CSF) for managing cybersecurity risk; that all heads of executive departments and agencies be held accountable for risk management, and that cybersecurity risk reporting within all agencies and departments be consolidated and managed as an executive branch enterprise. Agencies and departments have 90 days to provide a report of their risk management efforts, identifying risk mitigation and acceptance choices, including strategic, operational and budgetary considerations that led to those choices and what are any of the accepted risks, including from unmitigated vulnerabilities.
The new order also directs agency heads to show procurement preference for IT Shared Services, including email, cloud, and cybersecurity services. While the push toward shared services is not new, it is important to note the emphasis of "cloud" in the context of a cybersecurity order. This is a change from the past, where IT professionals avoided the cloud because it was perceived to be less secure. The president's endorsement of the cloud shows that the more common thinking today is that cloud means higher security.
According to John Kronick, Director of ATG Cybersecurity Solutions for Stratiform, the executive order is a “tall order” to accomplish in the timeline set forth in the order.
“Since the NIST Cybersecurity Framework has been out for several years (2014), it has gone through revision but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use still under development. That being said, it is one thing to initiate a risk assessment utilizing the CSF, but it’s quite another to initiate action to remediate the issues identified in the risk assessment,” says Kronick, who adds that while the executive order mandates use of the CSF, there has been a lack of consensus on how best to use the CSF within the agency, how to remediate findings, and consequences for not addressing CSF gaps and issues.
“There will, no doubt, be a flurry of reports generated as a result of this executive order, and just like the GAO studies and reports, follow-up actions on these reports tend to get pigeon-holed and superseded due to competing priorities or budgetary pressures. And besides, the CSF does provide the option of not addressing risk issues at the discretion of the risk owner,” he adds.
Kronick wonders who will make CSF report owners accountable for the findings of the reports and if there will be a process established by the GAO or OMB to “audit” the agency CSF risk assessments, and if so, how often?
One of the overriding mandates in the order is that all federal IT systems be moved to the cloud, hoping it will help alleviate some of the fractured security infrastructure policy within the government. Homeland security adviser, Tom Bossert, said: “From this point forward, the president has issued a preference in federal procurement in federal IT for shared systems. We've got to move to the cloud and try to protect ourselves instead of fracturing our security posture.”
“It’s important to note that simply moving IT assets to the cloud won’t make them immune to the threats we face today,” says Varun Badhwar, CEO and co-founder of cloud infrastructure solutions provider RedLock. “Cloud providers are only responsible for securing the underlying physical infrastructure, and the government will remain responsible for securing the applications, data, and users within these environments. Securing cloud infrastructure requires a unique cloud-native approach – existing security tools do not work in the cloud.
“Further,” he adds, “the government must ensure their security tools provide holistic visibility and continuous monitoring across three critical areas: network traffic, system security and user behavior. After all, you’re only as secure as your weakest link, and taking a siloed approach with these three areas can provide a false sense of security. True holistic visibility into all three is paramount to the security of the government’s cloud infrastructure. The government, like all organizations, must operate under the assumption that they will get breached someday, and be prepared to rapidly investigate, contain and respond to security incidents within hours – not months or years as is the case today.”
Leo Taddeo, CISO of Cyxtera Technologies says that the order also has several forward-looking goals such as addressing the threats from hijacked devices as the specter of the IoT invasion looms. But he wants to wait to see more specifics before passing judgment.
Taddeo says that the order is not a plan to fix the federal government's cybersecurity challenges. Instead, it's a directive to each agency to implement the NIST framework to assess the agency's cyber risks and create plans to mitigate them. He adds that the task of judging the adequacy of the assessments and the plans falls on DHS and OMB and admits this is a risky approach, given DHS's questionable track record in cybersecurity. It also doesn’t direct any new spending on cybersecurity.
“Assessments and plans are relatively cheap. The real pain will come when the only way to become more resilient is to spend large sums on new infrastructure and highly skilled staff. These decisions are left for an undetermined later date,” continues Taddeo. “Overall, it appears the order implements important first steps. It highlights the cybersecurity issue, put agency heads on notice that they are accountable, and directs them to assess the risk and develop plans to mitigate them. This is a solid approach. The question is whether agencies will be able to execute the plans within reasonable spending constraints. The best hope in the order is the emphasis on shared services as a means to increase cybersecurity and reduce spending. “
Like many in the cybersecurity world, STEALTHbits Technologies CTO Jonathan Sanders likes the accountability factor that seems to permeate the entire executive order and that it also takes a risk management approach. But he finds a couple of highlights most intriguing.
“Two that are especially interesting are resilience against automated, distributed threats and incident response in the electricity supply. Remembering the cyber-attack that crippled Kiev’s power and the suspected attack here in the U.S. last April, the notion of keeping the electricity on is surely serious and timely. The order essentially calls for a series of reports about these two areas and much more, asking that agencies use the NIST framework as a guiding principle as they evaluate their security. As the reports come in over the next 60, 90, and 120 days, the thing to watch for will be how concrete and thorough the recommendations will be.”
Tom Pageler, Chief Risk Officer and Chief Security Officer for Neustar sees the administration’s move to prioritize cybersecurity and adopt an enterprise risk management approach similar to how leading private firms rank, assess and mitigate cyber threats as an extremely positive move. However, he also sees some red flags observing the order as written.
“First, the order emphasizes that government agencies should be following NIST, but in reality, most should be or already are doing this, so this is not a shift or something new to improve cybersecurity. An even greater concern is that there is no mention of funds being allocated to upgrade the tools and hire the qualified talent in order to execute on this order,” laments Pageler. “As many organizations know, these are some of the biggest challenges in securing infrastructure. So without a committed budget to this initiative, it is likely to result in very little change in the security posture of most agencies. Again, the risk assessment mandate will be a huge step in the right direction and I am eager to see the government improve their cybersecurity stance.”
About the Author: Steve Lasky is a 30 year veteran of the security industry and is the Editorial Director of SouthComm Security Media and Editor-in-Chief of Security Technology Executive magazine.