Mixed response from IT security pros following release of Cyber Security Executive Order
By Greg Masters
In a week filled with controversy surrounding the Trump administration, including the unexpected and abrupt dismissal of FBI Director James Comey, the president’s executive order on cybersecurity has been somewhat obscured in public forums but has drawn immediate, if mixed reactions, from cybersecurity professionals who either praise it for providing much-needed guidance or criticize it for falling short.
The Cybersecurity Executive Order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” meant to bring efficiency, clarity and additional protections to government IT systems, charges the government with reviewing its cyber posture and pins responsibility for cyber risk on those officials who lead federal agencies.
While some praise the directive for its guidance, others say its guidance falls short.
Phil Dunkelberger, CEO, Nok Nok Labs, says his firm appreciates the sentiment behind the EO and the need to understand the current gaps within the cyber capabilities of the government and where the departments are from a budget standpoint. And, he acknowledges there are a lot of good, talented individuals that have been working on these problems for a long time both behind the scenes and in the spotlight.
But, he told SC Media, “There is really nothing new here, it is a continuation of what we’ve already been doing (and in many cases failing).”
He says the industry needs nothing short of a revolution, citing the cyber EO as an evolution and continuation of the same frameworks and reports put forth the last 10-15 years.
“We have made strides, Dunkelberger said. “The question is, are we moving fast enough? Unfortunately, the threat factors around us are evolving at a much faster pace. We need to be much more assertive and aggressive as our adversaries aren’t playing by any rules.”
Mike Kail, co-founder and chief innovation officer, Cybric, told SC that the devil is in the details. “We need to focus on modernization and making smart investments versus trying to protect what’s already there and vulnerable. If we keep trying to put controls around critical and failing infrastructure, that’s not a good strategy.”
Instead, he says, “we should take an offensive approach by investing in the modernization of our infrastructure.”
“While the executive order does address some of the potential issues involved with adequately managing cybersecurity risk, the White House still runs the risk of doing too little too late,” Gidi Cohen, CEO, Skybox Security, told SC Media. “Per the order, while the general cybersecurity framework for each agency and department is based on NIST standards, each group is left to define and manage their own cyber risk, leaving the potential for a fragmented and incomplete point of view of the nation’s overall attack surface.”
Attacks – whether from a nation-state, hacktivist, or commercialized cybercriminal attack – target vulnerabilities that provide the easiest path into a network, Cohen said. “Without visibility into the attack surface as a whole, the government is put in the position of reacting to breaches – relying on strong wall defenses and other indicators of compromise to determine a course of action – rather than avoiding them. What’s more, these exposures could be exploited by different parties than most might think.”
State-sponsored activity gets all the attention, Cohen explained, but there are more pernicious threats out there today. These may initially have a lower impact than those involving international espionage but could eventually have an extremely negative effect on national security, public confidence, and our economy, Cohen told SC.
“As the agencies and departments responsible for protecting critical cyber infrastructure now begin to shift their focus to make sure they are aligned with the official White House perspective, it is unfortunate the executive branch hasn’t decided to take a more holistic approach,” Cohen said. “A centralized focus on government-wide indicators of exposure would empower a proactive, unified cybersecurity program. To accomplish that would be no simple task. Just like in the commercial sector, gaining this deep level of understanding is difficult in the ever-shifting cyber landscape.”
Cohen’s prescription for successfully guarding crucial cyber infrastructure has the government making use of every tool it can – including network modeling, attack vector analytics and threat-centric vulnerability intelligence – to identify the most critical exploitable attack vectors in real time. “Once it has been identified, security weaknesses that could enable the continuation of an attack allowing agencies to proactively find and fix exposed security risks before it can be exploited and potentially sold to the growing network of commercialized cybercriminals.”
Daniel Castro, vice president of The Information Technology and Innovation Foundation (ITIF), said, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.”
Cybersecurity should be a top priority for the Trump administration, Castro said. “The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order. While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”
He adds that its incumbent upon the administration to implement its stated goals for cybersecurity. “Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government.”
Additionally, Castro said, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.
He does have praise for the White House including much-needed government IT modernization and consolidation as part of the executive order. “While there are many reasons to pursue IT modernization, the administration is likely to have the most success getting this done as a cybersecurity mandate rather than as a push for efficiency.”
“The President’s executive order does not propose a concrete plan for cybersecurity, it merely calls for a top to bottom review of where things stand,” Sanjay Beri, CEO, Netskope, told SC. “While this is a step in the right direction, kicking the can down the road leaves remaining questions about what exactly the administration’s plans are for tackling what has arguably emerged as the single most existential threat to our livelihood: defending our cyber infrastructure.”
What’s more, Beri said, the administration has yet to fill the federal CISO vacancy, leaving the government without a leader at the helm to help implement and enforce security policies and practices. “For a president so concerned about establishing a positive legacy, this seems an obvious – and critical – area to address.”
Mounir Hahad, senior director, Cyphort Labs, told SC Media that there isn’t much to write home about in this executive order. “It is basically asking for a status report from the various agencies of the executive branch, something that should be taking place on a regular basis if our administration were to establish an adequate maturity level and exercise self-introspection as defined by the Carnegie Melon Capability Maturity Model for organizations.”
However, he said he welcomed the initiative nonetheless and looks forward to what recommendations will be funded from the outcome of all the reports. “I am not sure that the head of any agency has ‘for too long accepted antiquated and difficult-to-defend IT.’ By choice. I hope the reports will shed the light on what regulation has imposed draconian restrictions on the agencies’ freedom to act and stay on top of a threat landscape that changes at neck-breaking speed.”
Philip Lieberman, president, Lieberman Software, told SC that if there is no budget from Congress for the order, it will have little real effect. “All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics.”
Unfortunately, NIST does not provide specific guidance on how to solve problems, only on pointing out the problems to be solved, Lieberman said. “Some of their guidance is a little off-base and not helpful – for example, they recently put out a report stating that they no longer believe that users should change their passwords regularly.”
Tim Erlin, VP, product management and strategy, Tripwire, said that even with this long-awaited executive order, the essential priorities of cybersecurity remain the same. “We know that maintaining a critical set of foundational controls is a proven strategy for minimizing the attack surface and reducing risk of cyberattack,” he told SC. “Even the most elaborate cybersecurity program can ultimately fail if it doesn’t get the basics right. It’s a positive sign to see the executive order address foundational controls like vulnerability management and secure configuration management.”
Critical infrastructure must be addressed at the highest level, Erlin noted. “The executive order calls for a number of reports to be produced assessing the current state of information security across agencies. The truly telling results will only come after the production of these reports and be measured by the actions they initiate.”
“This is a good step in the right direction,” Jeff Engle, VP, government sector, UDT, told SC Media on Friday. When it comes to assessing the cyber workforce Engle said he believed the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. “Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”
Will Ackerly, co-founder and CTO, Virtru, is glad to see the president focused on bolstering cyber defenses. “It is very reassuring to see the Executive Order call out the need for interagency and international cooperation,” he told SC. “It is also great to see the topic of cloud storage presented so centrally. The cost and collaboration benefits of the cloud are undeniable, and, when combined with data-centric protections, such as strong encryption, government information will be even more secure. Finally, the ‘open and transparent process’ in identifying / promoting action by stakeholders to improve resilience of internet communications is highly encouraging!,” Ackerly told SC.
But there’s a caveat. Ackerly believes that the specific methods outlined in the Order are necessary but not entirely sufficient to protect the nation. “Each department should have an experienced CISO in place who may report day-to-day to the agency chief, but should also have accountability to a cross-agency authority. This would encourage collaboration between agencies and ensure that critical information including threat intelligence, vulnerability assessment, and best practices for cyber-defense are rapidly and completely shared.”
Additionally, Ackerly said the Executive Order is missing any mention of intellectual property protection. “While an EO cannot force companies to do things directly, outlining the need for our businesses to have strong privacy protections in place would speak volumes. Government support for these kinds of endeavors would ensure that the fruits of our economic labors are not appropriated by nation state actors or other hostile parties. Until we focus on specific protections for our business and consumer data, including strong encryption, we will continue to be vulnerable.”
Steven Grossman, VP of strategy, Bay Dynamics, told SC that it is great to see that the President’s executive order supports a risk-based approach to cybersecurity. “That means prioritizing agencies’ most valued assets, such as critical infrastructure, and tackling the threats and vulnerabilities that could compromise those assets first. The order makes references like ‘commensurate with risk and the magnitude of harm,’ which ties to the necessity of measuring the mission impact of an asset at risk were compromised and prioritizing mitigation actions based on those that reduce impact the most.”
Further, the EO uses the NIST Cybersecurity Framework as the core framework agencies should follow, Grossman said. This also supports a risk-based approach. However, he added, it may not be detailed enough in the long run.
“Another great feature is that the order promotes accountability, assessment and remediation of cyber risk across many stakeholders in the agency, those in and outside of security,” Grossman said. “Cyber risk management cannot solely be the IT and security team’s problem. Stakeholders across the business from application owners who govern highly valuable assets to upper management who make investment decisions, must be involved in taking action to reduce risk.”
The order contains many positive steps that, when implemented, should significantly help reduce risk, Grossman said. “However, we would like to see more continuous monitoring requirements instead of just periodic compliance like assessments and remediation. The order should not be viewed as yet another compliance checkmark; it should be a continuous process.”
Finally, Grossman saif that focusing on building up skills and competency in the workforce is a critical activity, but there needs to be a more immediate plan in place for response until that ramp up occurs.
Stephen Coty, chief security evangelist, Alert Logic, agrees that the EO is using a risk-based approach for the U.S. government and its suppliers. “The order is mandating that all departments complete full technology audits and put together a plan for improvement and modernization of their current IT infrastructure,” Coty explained.
“They identify unmitigated vulnerabilities as one of the highest risks facing the executive departments and other agencies. These known vulnerabilities that they’ve identified include operating systems and hardware that are beyond the vendor support lifecycle. They also include declining to implement a vendor’s recommendation on patching and configuration guidance. All agency heads will be held accountable by the president for implementing these risk management measures.”
Coty is keen on the move to the cloud, citing the NIST Framework. “Government can now feel assured that cloud computing is a secure option for storage and access of their data.”
Larry Payne, head of Cisco’s U.S. public sector, told SC Media on Friday that the EO represents a renewed commitment to protecting federal IT networks. “With the NIST Framework as a guide, agencies can improve enterprise risk management capabilities and simplify their approach to security. A key piece of this effort will be continuing the push to modernize government systems, including rooting out unpatchable legacy hardware and better lifecycle management.”
Payne said his company looks forward to working with agency leaders to implement a strategic security approach, rather than deploying project-based solutions in response to incidents or compliance.
The EO is a tall order to accomplish in the timeline set forth, said John Kronick, director ATG Cybersecurity Solutions, Stratifrom, a PCM Company. “Since the NIST Cybersecurity Framework has been out for several years (2014), it has gone through revision, but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use still under development,” he said. “That being said, it is one thing to initiate a risk assessment utilizing the CSF, but it’s quite another to initiate action to remediate the issues identified in the risk assessment.
Kronick listed a number of steps that should be done, including nitiating mandatory CSF training for agency executives, risk managers and cybersecurity staff; developing a uniform method for assessing the effectiveness of the CSF implementation and use; requiring mandatory escalation of critical and high risk issues such that they are resolved in a timely manner; initiating cybersecurity awareness training for all citizens, making it mandatory for all employees and workers of federal agencies and critical infrastructure entities – and require it more frequently than once per year; establishing a cybersecurity training and recruiting program to facilitate short-term and long term staffing within the agencies; requiring budgetary funding for remediation of CSF findings/gaps such that agencies will execute remediation measures with sufficient budget for tools, resources, etc. As well, he said, metrics should be established for centralized tracking of agency CSF risk assessments and centralized risk register to track remediation efforts.
Click here to view full article.