adam121 - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Experts debate effects of government cybersecurity executive order

A leaked version of a draft of a government cybersecurity executive order from President Trump has experts debating the effects such an order would have.

The new presidential administration drafted a cybersecurity executive order for government agencies to perform extensive 60-day audits of systems, but experts are unsure how effective such a plan could be.

The leaked draft of the cybersecurity executive order, titled "Strengthening U.S. Cyber Security and Capabilities," is similar in scope to an executive order enacted by former President Barack Obama shortly after taking office for his second term. Both the recent draft and Obama's order focused on government cybersecurity assessments that would inform future plans of action.

The leaked draft of President Donald Trump's executive order called for government cybersecurity audits that would take place over 60- or 100-day periods and aim to identify of areas of improvement, or areas where specific legislation would be needed.

Sean Spicer, press secretary for the White House, said in a press briefing held on Tuesday that the cybersecurity executive order was intended to "secure the federal networks we operate on behalf of the American people, work with industry to protect critical infrastructure and maintain our way of life, and advance the cause of internet freedom."

The executive order, first announced last week, has been delayed, as Trump reportedly planned to meet with cybersecurity experts. Meanwhile, experts have suggestions on whether such an audit could be effective for government cybersecurity, or if Trump may want to take a different approach.

Carson Sweet, CTO and co-founder of San Francisco-based CloudPassage, said a 60-day time frame for the audits would not be feasible "if they want the audit to be accurate and practically useful."

"It's a reactive move; you see this when an administration is trying to posture or prove a point. But more concerning is what happens when the audit comes back with a three-year backlog of problems. If the administration takes a reactive posture on trying to fix the problems found, it will be a fire drill on a massive scale, which is rarely helpful," Sweet told SearchSecurity. "Fixing the underlying structural and operational problems that allow these vulnerabilities to linger in the first place might be a better use of resources."

John Chirhart, federal technical director for Tenable Network Security, based in Columbia, Md., said it might be possible to do an audit of government cybersecurity systems in the time allotted, but focusing solely on government agencies could overlook issues with government contractors, like those that led to the stolen credentials used in the Office of Personnel Management breach.

"The [Department of Defense, or DOD] is working toward making this a reality with the move toward the Risk Management Framework (RMF). The RMF will help shorten the time needed to conduct such readiness assessments. Unfortunately, adoption has been slow," Chirhart told SearchSecurity via email. "Another risk factor not likely taken into account by the rumored executive order includes the countless companies that work for the DOD. They often contain sensitive data, such as research and design documents. Until recently with the release of the NIST 800-171, these companies were largely ignored in terms of proving cyber-readiness. The executive order should include coverage to any company doing business with the DOD."

John Bambenek, threat systems manager for Fidelis Cybersecurity, based in Bethesda, Md., said meeting with cybersecurity experts could be valuable, and it was "one of the good things President Obama did" before signing his cybersecurity executive order.

"The communication with this executive order and others so far has been lacking. I would hope the revisions will entail more focus on what can be done to actually accomplish solving many of the problems that have been talked about for years, but no real progress has been made," Bambenek told SearchSecurity. "Additionally, [there should be] a focus on enhancing international cooperation, so we can greatly expand our ability to put criminal actors in prison. Currently, criminals can act with near impunity as long as they don't victimize people in their own country. The key to stopping the rapid expanse of cybercrime is for nations to work together on at least the criminal side of the equation."

Chirhart said an audit is "a great way to measure where you are," but would be pointless unless "funding and mandates to fix what is found are included as part of the executive order."

"At its core, the most basic way to measure your effectiveness is to measure the date of vulnerability detection to the date of mitigation. If that number is moving to the right, you are losing the battle. If that number is staying about the same, you are at least treading water. And if it's moving to the left, you're doing the right things," Chirhart said. "But, at the end of the day, to move the mark to the left, you need the resources, tools, processes, funding and political support to make time for mitigation."

Next Steps

Learn what government cybersecurity problems can teach enterprises.

Find out the effects FITARA could have on government cybersecurity.

Get info on the costly EINSTEIN system that needs major changes.

Dig Deeper on Government information security management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What steps do you think should be included in any potential cybersecurity executive order?
The troubled cybersecurity waters run much deeper. While policy is a starting point and a necessity, it is only one component of a strategic approach that, historically, has evolved into an onerous set of often redundant, sometimes conflicting, occasionally grossly ambiguous or impracticable, regulations, processes, methodologies, paradigms, measures and metrics. Pundits like to focus on the essential dynamism of cyber technologies; no matter what is wagging which, there is a similar dynamism in cybersecurity - that has its own logic, not always deterministically driven by the latest incident. The aggregate effect in cybersecurity, for those who practice it, seems philosophically grounded in "shoot self in foot" imperatives. 

There is a rich reservoir to be plumbed for disciplined analysis into the relationship and magnitude of leadership and culture to cybersecurity effectiveness. Perhaps some reflective analysis on similar initiatives in the financial community could provide a launch point for serious analysis. In no particular order of priority, I submit that the "systemic" problems that need to be addressed in order to monkey-wrench a long-term approach include the following: 

- leadership and cultural incentives that often favor individual objectives and non-cybersecurity ends (e.g., climbing the ladder, the politics of decision-making, time management, etc.)
- the paucity of empirical, quantitative approaches to understanding current risk/security state let alone predicting or clustering for learning
- the hugely variable CS workforce training, experience and ability sets
- the overweening dependence on tools whose internal logic/algorithms most analysts do not understand or have time to examine 
- as mentioned above, the chilling, burdensome excess of mandated processes; look at one agency in government: one now has to run the acquisition gauntlet, develop requirements from multiple sources; run a JCIDS process that has been traditionally weak when it comes to actual cybersecurity KPPs/KSAs; perform RMF that has questionable quantitative merit (and certainly non-calibrated evaluators) when it comes to actual risk assignment; perform cyber assurance processes that are a wedge into existing practices and require assessment of a whole new set of standards; execute all sorts of test and evaluation processes that spill out from management initiatives that occur at different points in time, account for design and implmentation mandates that issue not only from policy owners but operational entities(!), account for different requirements sources and approval authorities, meet a whole panoply of compliance requirements, require "artifacts" many organizations don't have the time or people to produce; a capabilities process that inevitably leads to different mission profiles that drive varying architectures which are inherently complex and near impossible to integrate at times
- a threat intelligence process that could be bettered organized and purposed to support development initiatives
- endless mandates without accompanying funding

The list goes on. Progress is being achieved. A significant problem, however, is that we're nearing the point of implosion. To this point, there does not appear to be an Adam Smithian like hand moving the cybersecurity marketplace of ideas, policies and implementations in a rational manner that quickly disposes of the proverbial bad idea, bad policy, ineffective or inefficient decision. We have met the enemy - and it is us?