Security shield slingers are loving Prez Trump's cybersecurity order
Meanwhile, Fed heads have their work cut out for them
On the other side of the fence, computer security product makers have broadly welcomed the policy, which also calls on government and industry to reduce the threat from automated attacks on the internet.
The delayed cybersecurity executive order aims to bolster the government's information security while protecting the nation's critical infrastructure from cyberattacks. The order is important because it sets the direction for US infosec policy in government and beyond. Unlike many of President Trump's other policy initiatives, the order is largely uncontroversial and might (whisper this gently) be seen largely as a continuation of measures former President Barrack Obama was putting into place.
Kevin Davis, VP of public sector at Splunk, said: "Improving cybersecurity is one of the few items both sides of the aisle can reach across and agree on, and today's executive order is a good, bipartisan step to better protect our government's networks and critical infrastructure."
"Hackers' preferred attack methods against the public and private sector change daily, and Trump's executive order is a good reflection of the need for adaptability in today's threatscape. And as methods of cybercrime continue to evolve, it will be important to government agencies to rely on data analysis, to quantify the risk so they can adapt appropriately," he added.
Some experts argue that the order will spur an overdue rethink about federal IT security strategies.
Davis explained that the order differs in several important respects from the draft order floated by the Trump administration back in January.
"The draft order gave DoD [US Department of Defense] a very muscular role in almost every component of the original plan," Davis said. "In the signed order issued today, DoD is tasked with contributing to the plan in areas more in line with its war-fighting capabilities.
"Similarly, the earlier order sought to explore ways to promote cyber resiliency in the private sector by creating financial incentives (ie, tax breaks) to spend on cybersecurity. The signed order turns to market transparency to encourage critical infrastructure entities to properly mitigate cyber risks. This approach transfers the costs and risks of improper planning to the infrastructure owners and investors and away from the taxpayer," he added.
The buck stops there
The order means federal agency heads will be held accountable for the effective management of the cyber risk within their agencies, something that was always an implicit duty but is now an explicit responsibility. Agency bosses will be obliged to implement the National Institute of Standards and Technology (NIST) risk management framework to develop assessments and plans. According to the executive order, agencies have 90 days to report back on risks and provide strategic plans for mitigation that work within budgetary constraints.
The executive order promotes network consolidation and shared IT services – a push towards streamlining services and keeping costs down. Increased consolidation will make it easier to apply a common (hopefully more robust) security architecture. In addition, the order promotes action against networks of compromised computers or other devices (botnets).
The order lays out a roadmap toward shared services and the cloud for applications including email. Companies providing security solutions in the cloud may see an uptick in federal business as these preferences translate to projects and spending, according to industry experts.
Stephen Coty, chief security evangelist at Alert Logic in Texas, said: "This executive order is using a risk-based approach to cybersecurity for the US government and its suppliers. The order is mandating that all departments complete full technology audits and put together a plan for improvement and modernization of their current IT infrastructure.
"They identify unmitigated vulnerabilities as one of the highest risks facing the executive departments and other agencies. These known vulnerabilities that they've identified include operating systems and hardware that are beyond the vendor support lifecycle. They also include declining to implement a vendor recommendation on patching and configuration guidance. All agency heads will be held accountable by the President for implementing these risk management measures."
Amit Yoran, chief exec of Tenable Network Security, headquartered in Maryland, commented: "It's clear that the US needs a fundamental change in the way we approach cyber. President Trump's executive order on cybersecurity is an important step toward addressing the biggest cybersecurity challenges.
"America currently spends over $80 billion per year on federal IT, but money alone won't improve cybersecurity. Change can only happen if security is prioritized at the highest levels of government. This new executive order has the potential to force federal agencies to rethink their security strategies and to address today's elastic attack surface," he added.
Modernization of IT systems in government represents a key opportunity and challenge, according to Yoran.
"As agencies embrace modern IT, including shared cloud services and internet-enabled devices, it is important to understand the changes in the attack surface and embrace new opportunities to enhance security ... The executive order's prioritization of assessing and mitigating known vulnerabilities is a good step forward."
Brian Laing, senior vice president at Lastline, headquartered in Redwood City, California, said: "A key to success, nationally or within an enterprise, is executive buy-in. This order is a much-needed executive step that will focus efforts and increase resources deployed against improving our nation's cybersecurity."
The order makes no provision for any new spending on cybersecurity, focusing instead on (relatively inexpensive) assessments and plans.
"Overall, it appears the order implements important first steps," said Leo Taddeo, CISO of Cyxtera Technologies, headquartered in Florida. "It highlights the cybersecurity issue, puts agency heads on notice that they are accountable, and directs them to assess the risk and develop plans to mitigate them. This is a solid approach.
"The question is whether agencies will be able to execute the plans within reasonable spending constraints. The best hope in the order is the emphasis on shared services as a means to increase cybersecurity and reduce spending," Taddeo concluded. ®