Key points from Trump’s cyber security Executive Order
Last week, President Donald Trump signed his much-leaked and heavily delayed executive order on cyber security. We take you through some key points, why they matter and how the new measures have gone down with industry, agencies and others.
First up: More direct accountability for agency heads.
The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.
This marks a significant shift in accepted practice. Up until now, there has always been implicit responsibility for agency heads to shore up their cyber defences, but this document is explicit: the buck stops with individual agency heads. This will almost certainly be tested in the coming months, as cyber attacks are constantly growing, and the White House response will be telling.
The NIST framework is now a mandatory requirement
Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.
Unlike inflexible statutory regulation, the NIST Framework is designed to be a living, constantly adapting set of best practices and guidelines that takes input from government and industry in equal measure to shape cyber security protection of critical infrastructure in the USA. Originally called for by President Obama, this policy continuation will be welcomed by the marketplace to maintain stability and increase cyber sophistication as a whole.
Get with the times
The executive branch has for too long accepted antiquated and difficult–to-defend IT. Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.
This Executive Order was released one day before the WannaCry ransomware attacks took place – exploiting a known vulnerability in a major release of Windows software that Microsoft had stopped supporting more than three years previously, although had released a patch for. This level of explicit detail suggests that using legacy hardware as an excuse not to migrate to better-supported, newer operating systems will no longer be tolerated.
Filling the gap
Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.
Tech companies around the world are struggling to fill well-paid, white-collar jobs in cyber security. An ever-widening group of companies are chasing after the same people, offering higher and higher salaries. This is patently unsustainable and industry must work together with providers of higher education (as is happening in the UK) to better equip those training to join the cyber workforce of tomorrow. Government-mandated action on this will be welcomed.
But what’s left out?
Well, the Executive Order makes no mention of electoral systems after alleged Russian interference in the 2016 elections across the USA. More tellingly, all references are made to ‘protection’ and ‘defence’ rather than offensive cyber moves. Recent missile launches by North Korea are said to have been compromised by highly targeted cyber attacks in the USA, and the WannaCry attack was made possible by the leak of top-secret NSA cyber weaponry, nicknamed ‘EternalBlue’. The American government is known to be prioritising development of its own cyber offensive programme, but this order makes no mention of the rules of engagement in cyberspace.
CEO of Tenable Network Security and Qatalyst Global client, Amit Yoran said: “America currently spends over $80 billion per year on federal IT, but money alone won’t improve cybersecurity. Change can only happen if security is prioritized at the highest levels of government. This new executive order has the potential to force federal agencies to rethink their security strategies and to address today’s elastic attack surface.”
How’s this gone down? What’s the reception been like?
The timing of this EO was rather unfortunate: coming just one day before the WannaCry attack. However, industry response has generally been warm, and political journalists are calling it ‘the least controversial document to be adorned with the president’s signature since the inauguration’. This may be because the order draws heavily on the policy roadmap outlined by President Obama, and gives incremental improvements and consolidation of existing ideas.
However, Trump and allies deserve recognition for the level of detail included in the document, which shows the degree to which the language of cyber security has penetrated through to the very heart of government.
About Us: Qatalyst Global
Qatalyst Global is a pure-play B2B events company operating globally, working in fields including cyber security, artificial intelligence, Industrial IoT, blockchain and more. Headquartered in London, our team works closely with leading IT professionals, engineers, academics, government and select vendors to ensure our events are consistently end-user focused and driven by the requirements of the market.
• Cyber Security for Critical Assets Summit Europe – London, October 4-5 www.cs4ca.com/europe
• ManuSec Summit USA – Chicago, October 11-12 www.manusecevent.com/usa
• Industrial IoT Summit Europe – Munich, November 8-9 www.industrialiotseries.com/europe