Following the News that Donald Trump has signed an executive order on cybersecurity, that makes clear that agency heads will be held accountable for protecting their networks, and calls on government and industry to reduce the threat from automated attacks on the Internet, IT security experts from Lastline, CA-based Cyphort Labs, Los Angeles-based Lieberman Software, Portland, OR-based Tripwire, Plixer, Nozomi Networks, Cyxtera Technologies, Tenable Network Security, FireMon, Alert Logic, Splunk, Venafi and Axio commented below.
Brian Laing, Senior Vice President at Lastline:
“A key to success, nationally or within an enterprise, is executive buy-in. This Order is a much-needed executive step that will focus efforts and increase resources deployed against improving our nation’s cybersecurity. Cybercrime is a lucrative business with criminals investing countless hours to find new vulnerabilities, evade detection, and launch creative, sophisticated attacks. The end result is that malware is evolving faster than signature-based systems can adapt.
The first step in designing a security strategy is to assume that perimeter defenses will be breached. The next step is to ensure safeguards are in place to detect evasive malware and resulting malicious network activity before any real damage is done. Advanced malware detection delivers deep insights into activities that malware is designed to execute, network traffic analysis that highlights suspicious network activity, and global threat intelligence that provides essential contextual detail.
Advanced malware protection technology will play a pivotal role in the future of cybersecurity as it detects advanced malware and zero-day attacks that signature-based technology miss. The resulting knowledge of the full scope of an attack will focus analysts’ efforts and streamline their mitigation and remediation efforts.”
Mounir Hahad, Senior Director, Santa Clara at Cyphort Labs:
“There isn’t much to write home about in this executive order. It is basically asking for a status report from the various agencies of the executive branch, something that should be taking place on a regular basis if our administration were to establish an adequate maturity level and exercise self-introspection as defined by the Carnegie Melon Capability Maturity Model for organizations.
I welcome the initiative nonetheless and look forward to what recommendations will be funded from the outcome of all the reports. I am not sure that the head of any agency has ‘for too long accepted antiquated and difficult–to-defend IT.’ By choice. I hope the reports will shed the light on what regulation has imposed draconian restrictions on the agencies’ freedom to act and stay on top of a threat landscape that changes at neck-breaking speed.”
Philip Lieberman, President at Lieberman Software:
“If there is no budget from Congress for the order, it will have little real effect. All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics.
Unfortunately, NIST does not provide specific guidance on how to solve problems, only on pointing out the problems to be solved. Some of their guidance is a little off-base and not helpful – for example, they recently put out a report stating that they no longer believe that users should change their passwords regularly.”
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“Even with this long awaited executive order, the essential priorities of cybersecurity remain the same. We know that maintaining a critical set of foundational controls is a proven strategy for minimizing the attack surface and reducing risk of cyberattack. Even the most elaborate cybersecurity program can ultimately fail if it doesn’t get the basics right. It’s a positive sign to see the executive order address foundational controls like vulnerability management and secure configuration management.
With cybersecurity concerns on the rise, it’s important for the government to set a strong example. In a survey Tripwire conducted in February 2017, only 17 percent of security professionally said they were confident in the US Government’s cybersecurity posture.
Another recent Tripwire study found that 96 percent of IT security professionals were expecting attacks on critical Industrial IoT infrastructure segments such as energy, utilities, government, healthcare and finance. The study of 403 IT security professionals worldwide, revealed that an overwhelming majority of feel additional precautions are needed to adequately secure the IIoT, and more than half (51 percent) do not feel prepared for such attacks.
These survey results sends a clear message that critical infrastructure must be addressed at the highest level. The executive order calls for a number of reports to be produced assessing the current state of information security across agencies. The truly telling results will only come after the production of these reports and be measured by the actions they initiate.”
Michael Patterson, CEO at Plixer:
“The Federal Government has suffered a series of disastrous breaches such as the one that struck the Office of Personal Management (OPM) that have exposed personal information of hundreds of Federal Workers as well as private citizens. The IRS as well as private individuals have been targeted by hackers snatching tax refunds. All of these incidents and more point to the importance of this new Cyber Security Executive Order and the urgency it sparks to upgrade Government infrastructure to defend against cyber attacks. There is no silver bullet, but the order needs to go further and require government agencies to have forensic incident response systems in place that can remediate cyber challenges as quickly as possible. With the amount of attacks that Government Agencies incur every day, it is not a matter of if, but when hackers will be successful. The key is to be alerted and respond as quickly as possible.”
Edgard Capdevielle, CEO at Nozomi Networks:
“Section 2 of the order focuses on critical infrastructure and in particular, the electricity grid. It is encouraging to see the Federal Government take action that increases the urgency for improving and ensuring the reliability of the power supply within the U.S. Electric Utilities and other critical infrastructure operators should know that recent advances in technology can improve the cyber security risk management efforts called out in this Executive Order. Innovations such machine learning and artificial intelligence enable real-time monitoring and anomaly detection that offer critical infrastructure operators better tools to manage cyber risk and minimize disruptions.”
Leo Taddeo, CISO at Cyxtera Technologies:
It may be helpful to think in terms of three categories a) General; b) What the Order does; and, c) What the Order doesn’t do.
General:
“It is helpful to compare the order issued today to the draft order floated by the Administration in January 2017. In some ways, contrasting the two orders gives the public some insight into the evolution of the Administration’s understanding of the problem and its approach to finding solutions. For example, the draft order gave DoD a very muscular role in almost every component of the original plan. In the signed order issued today, DoD is tasked with contributing to the plan in areas more in line with its war fighting capabilities. Similarly, the earlier order sought to explore ways to promote cyber resiliency in the private sector by creating financial incentives (i.e. tax breaks) to spend on cybersecurity. The signed order turns to market transparency to encourage critical infrastructure entities to properly mitigate cyber risks. This approach transfers the costs and risks of improper planning to the infrastructure owners and investors and away from the taxpayer.”
What the Order Does:
“The very first section of the Order puts federal agency heads on notice that the President will hold them accountable for the effective management of the cyber risk within their respective agencies. While agency heads have always been accountable, this explicit assignment of responsibility elevates the issue and should focus more attention on addressing the threat.
“The Order requires agency heads to implement the NIST Risk Management Framework to develop assessments and plans. This is an important step in normalizing the process for risk management within the federal government. It’s also a big boost for the NIST approach and will likely lead to broader adoption in the private sector as well.
“The Order directs agency heads to show procurement preference for IT Shared Services, including email, cloud, and cybersecurity services. While the push toward shared services is not new, it is important to note the emphasis of “cloud” in the context of a cybersecurity order. This is a change from the past, where IT professionals avoided the cloud because it was perceived to be less secure. The President’s endorsement of the cloud shows that the more common thinking today is that cloud means higher security. Companies providing security solutions in the cloud, such as Cyxtera, may see an uptick in federal business as these preferences translate to projects and spending.
“In Section 2, the Order directs an examination of federal policies that promote appropriate market transparency in cybersecurity risk management for publicly traded critical infrastructure entities. This appears to be an attempt to allow investors to gain better access into the cyber risks faced by the infrastructure companies they invest in. This is a novel “market” approach to creating a financial incentive for infrastructure entities to take steps to protect themselves.
“The Order directs agencies to promote stakeholders to promote action against botnets. This is a forward-looking goal, as the threat from hijacked devices in the “internet of things” looms over the horizon. Unfortunately, we will have to wait for the plan to see the specific proposed solutions.”
What the Order does not do:
“The Order is not a plan to fix the federal government’s cybersecurity challenges. Instead, it’s a directive to each agency to implement the NIST framework to assess the agency’s cyber risks and create plans to mitigate them. The task of judging the adequacy of the assessments and the plans falls on DHS and OMB. This is a risky approach, given DHS’s questionable track record in cybersecurity.
“It does not direct any new spending on cybersecurity. Assessments and plans are relatively cheap. The real pain will come when the only way to become more resilient is to spend large sums on new infrastructure and highly skilled staff. These decisions are left for an undetermined later date.
“Overall, it appears the order implements important first steps. It highlights the cybersecurity issue, put agency heads on notice that they are accountable, and directs them to assess the risk and develop plans to mitigate them. This is a solid approach. The question is whether agencies will be able to execute the plans within reasonable spending constraints. The best hope in the order is the emphasis on shared services as a means to increase cybersecurity and reduce spending.”
Amit Yoran, CEO at Tenable Network Security:
“It’s clear that the U.S. needs a fundamental change in the way we approach cyber. President Trump’s executive order on cybersecurity, released today, is an important step toward addressing the biggest cybersecurity challenges.
“America currently spends over $80 billion per year on federal IT, but money alone won’t improve cybersecurity. Change can only happen if security is prioritized at the highest levels of government. This new executive order has the potential to force federal agencies to rethink their security strategies and to address today’s elastic attack surface.
“The single biggest opportunity facing the new administration is modernization, which requires smart investments in security technologies that can help government agencies understand and reduce their cyber risk. As agencies embrace modern IT, including shared cloud services and internet-enabled devices, it is important to understand the changes in the attack surface and embrace new opportunities to enhance security. We look forward to working with leaders in government on the best approach to modernization that enhances security at every level. The executive order’s prioritization of assessing and mitigating known vulnerabilities is a good step forward. Agencies need the tools to detect networked devices and systems, and the ability to identify and prioritize methods to best mitigate risk.
“The importance of maintaining a robust and well-trained cybersecurity workforce to meet these challenges should also remain a topic for discussion. We can’t reasonably expect that any such effort will result in scaling the security workforce to meet the market’s insatiable demand. The only path forward is to develop and deploy cybersecurity technologies that enable our precious cybersecurity workforce to scale asymmetrically.”
Paul Calatayud, CTO at FireMon:
“The cyber security executive order signed by the administration was a great step forward for federal agencies. The order reinforces accountability and empowerment in use of risk management practices. Often cyber security programs can have a false sense of security by managing against compliance as the measure where risk management should open the conversation and scope of cyber security beyond IT and technology.
“For risk management to be successful in complex networks, intelligence and visibility is essential in order to measure and assess controls that are often represented within a risk registry.”
Stephen Coty, Chief Cybersecurity Evangelist at Alert Logic:
“This executive order is using a risk based approach to cybersecurity for the US government and its suppliers. The order is mandating that all departments complete full technology audits and put together a plan for improvement and modernisation of their current IT infrastructure.
“They identify unmitigated vulnerabilities as one of the highest risks facing the executive departments and other agencies. These known vulnerabilities that they’ve identified include operating systems and hardware that are beyond the vendor support lifecycle. They also include declining to implement a vendor recommendation on patching and configuration guidance. All agency heads will be held accountable by the President for implementing these risk management measures.
“The framework that they are using was developed by the National Institute of Standards and Technology (NIST) and is titled “ the framework for improving critical infrastructure cyber security”. According to this order, all agencies have 90 days to report back through their chain of command, and must document the risks and provide a strategic plan for mitigation modernisation and budgetary considerations.
“There is language in the order that says that shared IT services, including email, cloud and cybersecurity services, are now viable options to be used by the US government and its agencies. With cloud now on the table and the innovation from the security space over the past decade, Government can now feel assured that cloud computing is a secure option for storage and access of their data.”
Kevin Davis, VP of Public Sector at Splunk:
- The President’s early focus on cyber is good for the public and private sector. Improving cybersecurity is one of the few items both sides of the aisle can reach across and agree on, and today’s executive order is a good, bipartisan step to better protect our government’s networks and critical infrastructure.
- Critical Infrastructure has an increasingly large target on its back. We’re not just talking about energy or power grids- we’re talking about the very foundation of the internet, which is more fragile than we thought, evident by last year’s Mirai botnet attack. A concerted effort to better defend critical infrastructure, the defense industrial base and its ever growing supply chain is good for the country.
- Hacker’s preferred attack methods against the public and private sector change daily, and Trump’s executive order is a good reflection of the need for adaptability in today’s threatscape. And as methods of cybercrime continue to evolve, it will be important to government agencies to rely on data analysis, to quantify the risk so they can adapt appropriately.
- It’s difficult for the government to maintain a technically sophisticated workforce, especially with the lure of Silicon Valley. Both sectors are strapped for qualified cyber talent that can protect our respective enterprises. With that, we should expect to see funding for higher ed school programs to train new cyber recruits to build up a new cadre of talent that serves both public/private sector. The role of the security analyst has never been more important as government seeks to detect and respond to threats quicker.
- This EO promotes network consolidation and shared IT services, which is critical to streamline services and keep costs down. An increased focus on consolidation will also spur consistent views of a common security architecture, thus ensuring a stronger security posture across all agencies.
Kevin Bocek, Chief Cyber-Security Strategist at Venafi:
“The Order on strengthening governments cybersecurity defences should bring some focus to our efforts to protect our critical infrastructure. However, there needs to be less focus on the cybersecurity incidents of the past. To keep government agencies and businesses safe, the government orders and initiatives like this one need to be expanded to include threats that have the potential to impact us in the future. Cyber criminals are beginning to target cloud services, IoT devices and the wide range of new device types and applications businesses around the world employ. Government-led cyber security initiatives must encompass these changes or we will remain vulnerable. One of the most important aspects of effective cyber security protection is the preservation of strong encryption — this is critically important to keeping countries and businesses competitive in the global economy, ensuring safe digital commerce and preserving liberty.”
Jason Christopher, CTO at Axio:
“In the wake of advanced cybersecurity attacks, this Executive Order prioritizes the importance of our nation’s critical infrastructure. Beyond the provisions for a robust national security program at federal agencies, the EO refocuses on the NIST Cybersecurity Framework. We have applied this framework to dramatically improve the cybersecurity posture of countless critical infrastructure organizations, so we know it is tested and well proven.
The order also understands the importance of a robust risk management program that examines the impacts due to cyber security attacks. As a matter of fact, it calls for the creation of a power engineering study to analyze the impacts due to a potential cybersecurity attack, similar to the ones seen in the Ukraine over the past year and a half. Our nation’s power system is a complex machine that runs 24x7x365 where failure is not an option. Every day utilities face cyber threats and do a remarkable job of keeping the lights on—and a study like this will only help further educate grid operators and build on the success of events like the national GridEx table top exercise. Furthermore, by quantifying and measuring the potential impacts and responses to a cyber attack, our nation’s power utilities can better protect these vital systems.
This executive order is a good first step in identifying impacts and controls at a national level.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.