An Executive Order with Meaning?

June 14, 2017

As I reported in a story that appeared on SIW last month the Trump administration has made an effort to centralize an incredibly fractured federal government IT infrastructure when the President signed his Presidential Executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”. With this order the federal government will be following the same rules of engagement for protecting its IT and network infrastructure as private companies. Ironically, the U.S. government established the National Institute of Standards and Technology cybersecurity framework in 2013 to protect private business organizations but never followed it.

So now, more than 190 federal agencies who previously all have been running disparate cybersecurity programs will have the opportunity to create a unified framework that will not only help protect the nation’s critical data and information resources, but modernize some agencies that have IT systems that are between 30 to 50 years old. For example, the Commerce, Defense, and Treasury Departments, along with HHS and VA reported using 1980s and 1990s Microsoft operating systems that stopped being supported by the vendor more than a decade ago, and many departments are using unsupported operating systems and components.

This is the most aggressive Executive Order related to cybersecurity ever presented and is quite specific with regards to responsibility and accountability in addressing the challenges identified in the Order. Some of the particulars include requiring that all federal government agencies and departments implement the NIST Cybersecurity Framework (CSF) for managing cybersecurity risk; that all heads of executive departments and agencies will be held accountable for risk management, and that cybersecurity risk reporting within all agencies and departments will be consolidated and managed as an Executive Branch enterprise. Agencies and departments have 90 days to provide a report of their risk management efforts, identifying risk mitigation and acceptance choices, including strategic, operational and budgetary considerations that led to those choices and what are any of the accepted risks, including from unmitigated vulnerabilities.

So the big question is does the 90-day timeframe provide enough time for agencies to complete a comprehensive risk-management report? The fact that each agency will be conducting its own audit should help, but many IT professionals – 70 percent who responded to a recent poll – believe it is not sufficient enough time to audit all U.S. government IT systems and develop action plans.

John Kronick, Director ATG Cybersecurity Solutions for Stratiform says: “This Executive Order is a ‘tall order’ to accomplish in the timeline set forth in the order. Since the NIST Cybersecurity Framework has been out for several years (2014), it has gone through revision, but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use still under development. That being said, it is one thing to initiate a risk assessment utilizing the CSF, but it’s quite another to initiate action to remediate the issues identified in the risk assessment.”

Even if assessments are made with the time constraints,  47 percent of IT pros believe sweeping security reviews like the one called for in the executive order are well-intentioned, but they don’t change much, and only six percent of IT pros believe sweeping reviews lead to much-improved security of IT systems, while still another seven percent believe sweeping security reviews are a waste of time.

“With experience in a school district that receives and reviews a lot of computer donations based on government refresh cycles, I can tell you that there are some rather old pieces of tech still in use in the government. I don't see this executive order succeeding when the government still uses devices with 'Designed for Windows XP' stickers still on them,” says Matt Johnson, an IT help desk technician.

Henry Boonstra, an IT professional with 15 years of government experience adds that agencies will never be able to enforce the order because they stay three to five years behind on the things they want to keep “up to date”.

“Everything is vetted and tested and vetted and tested again.  If you would like to start using a new piece of tech you have to wait until the next review board to start the process. So by the time you are even able to begin using something, it's already three years old,” he says.

One IT network administrator who was interviewed said that reviews were great, but he was willing to bet the guys in the trenches were already well aware of the problems and their reports have been falling on bureaucratic deaf ears for years.

The bottom line is assessments and plans are relatively cheap.  The real pain will come when the only way to become more resilient is to spend large sums on new infrastructure and highly skilled staff. Will the feds put their money where their mouths are to make this happen?

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]