The recent WannaCry campaign took over news cycles, hindering an evaluation of Trump’s recent cybersecurity Executive Order (EO) — but I’ll admit, upon closer scrutiny, it’s a good start. This is particularly true if the goal is to kickstart a national cybersecurity strategy from scratch.
As a whole, there are no glaring errors despite some notable omissions, which I will touch on in this post. The EO identifies stakeholders, empowers them, asks for a plan and subsequently holds those stakeholders accountable. It’s much like any reasonable organizational policy. What is interesting, though, is the operational processes the EO demands.
Operationally, each department is asked to submit a security audit upstream — all the way to the President — that details current status, major identified risks and a plan to address them. The stickler here is that each sub-order only provides 90 days or less to submit. Given the respective IT scope of each agency, this could be quite an ambitious goal unless they have already done most of these framework audits — which is entirely possible. Additionally, the President, the Department of Homeland Security and the Office of Management and Budget are all going to receive a metric ton of audit reports to sift through as they attempt to develop Stage Two of the plan — i.e. now that we know what’s broken, let’s figure out a plan for how to fix it and how to pay for it.
At this stage, budgeting will be another huge item. We probably should expect HUGE budget increases, if even just requests, and a large fight over what agency gets what and how much. Again, it’s a good place to start. But we’re jumping ahead of the gun, what’s the actual process going to be like and what will it take to pull off?
- The transmission, access and storage of all these audits will be paramount. If the agencies are forthcoming and accurate with their audits, the amount of sensitive data about the current security of their IT environments and major risk areas will be an attractive target for state actors. And successful pilfering of the information could lead to some worse case scenarios.
- The audit function, assessing the current security status of each agency, cannot just be a one-time thing like the order implies. Audits should be scheduled at least annually, or even better — automated. IT environments change often, as does the threat landscape. If the time distance between when the audits are submitted with recommendations and when the budget is approved is too long, priorities could be off.
- There is zero purchasing guidance for agencies in regards to sector IT purchases (e.g. hardware, software, and services). One of the strongest levers the federal government has to improve cybersecurity for everyone is their budgetary power. They need to leverage it smartly while maximizing its benefit instead of blind “best-of-breed” purchases that end up wasting resources on trying to operationally secure them. Moreover, as an accountability accompaniment, if agency heads will be accountable for the security of their environments, so too should their IT and IT security vendors who supply products and services. Yes, I’m talking about financial liability for private organizations that sell to the government. For example, there are now a number of security vendors are now offering warranties that guarantee the effectiveness of their products, and hopefully more will continue to do so.
- Finally, the order assumes, dangerously so, that every agency isn’t already hacked. It feels like they think they’re starting with clean environments, which is pretty likely not the case. As agencies conduct the framework audits, they should absolutely look for indications of compromise, as those instances should be triaged and dealt with immediately. It doesn’t make much sense to try and secure a system that is already fundamentally compromised.
Ultimately, the EO on its own is pointing the government and its agencies to a higher level of accountability. This could lead to great success, even possibly affecting private sector companies that deal with government entities. All that’s left to see is if everyone executes on this effectively. We’re certainly rooting for it.