Recently, President Trump signed an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The order, originally designated to be signed shortly after his inauguration in January, was signed on May 11, 2017.
I had the opportunity to sit down with James Carder, LogRhythm CISO and vice president of LogRhythm Labs, and Dan Wilbricht, senior director of federal at LogRhythm to get their thoughts on what this order may mean for the cybersecurity space. Following is a Q&A on this action by President Trump and possible outcomes.
Q: What kind of a statement do you think this order makes regarding Trump’s policy on cybersecurity?
DW: The policy doesn’t seem to change all that much from the previous administration—although it does increase some funding in a few areas and requires self-reporting through the NIST framework. While it does provide guidelines, the action is still in the hands of individual agencies.
Trump believes that the current policy from Obama needed to be upgraded. It seems like he wanted to get something out there—but potentially something that wouldn’t cause too much trouble.
JC: In my opinion, this order doesn’t seem like much of a statement at all. Employing a policy on cybersecurity is a good thing, but the previous administration did the same thing. They also had a cybersecurity policy and executive order around protecting information and critical infrastructure. Trump’s order seems like more of the same.
The question is whether this will be effective. Accountability and funding will be critical in determining the success of such an action. If accountability or funding is missed, four years from today we’ll be in the exact same position.
For those who have been in this industry, it feels like we’ve seen this before. Many are taking a “wait-and-see” approach.
Q: How do you think this order will change how cybersecurity is treated in the U.S. government today?
DW: Agencies will likely be more focused on compliance (especially with the NIST framework). However, many agencies—such as the DoD—have already changed their behavior in order to be compliant. For some, it won’t be much of a change.
JC: It really depends on the funding. Trump’s executive order calls for workforce development that will fill skilled cybersecurity job openings, but at the same time, the president’s hiring freeze affects federal programs that could bolster that effort. The budget has to be there to drive the change.
Q: Do you believe Trump’s executive order went far enough to make progress on cybersecurity?
DW: I’m in agreement with James—this will really come down to funding. It’s tough for an agency, because many times they’re in a place where they would love to do what Trump is talking about in this order, but they only have so much budget, and they have other higher-priority items that they have to pay for first. However, I will say this tends to ring more true for civilian networks.
JC: One thing that may be a reoccurring obstacle to progress is a conflicting focus and priority between an organization’s primary mission and cybersecurity. If you’re given a pool of money, you’ll allocate more toward your highest business priorities. For instance, when thinking about critical infrastructure, there is a primary mission (making sure planes don’t crash, grids have power, etc.). The leaders of these groups and agencies have an important job to do—and cybersecurity is generally a secondary priority. Until the government makes cybersecurity a primary mission, it will always be secondary.
DW: There has been talk that Trump could create a cybersecurity department, which could address James’ point on focusing on cybersecurity as a primary mission. There is a cybersecurity co-committee run out of the DoD, but that is really focused on that side of the government. It’s unsure if or how it could be distributed across other agencies. But the challenge with creating a department is that each organization will likely still want to run their own cybersecurity efforts. That said, at the end of the day, they will do what the government asks them to do.
JC: I don’t think having a centralized cybersecurity group would be beneficial. We’ve been there and done that before. There has to be ownership and accountability within each group—checks and balances. That’s where the government can help: making individual agencies accountable.
Q: The order talks about modernizing federal IT systems. What do you believe is the best approach to achieving this goal? Are there any special considerations that should be made?
DW: Modernizing legacy systems will certainly help toward improving cybersecurity—especially when moving off legacy control systems. For example, we don’t want military bases to be open to hacking things like food supply or air conditioning, so updating systems is a critical goal.
JC: If you don’t modernize your IT infrastructure, you’re leaving yourself in an always vulnerable state. For legacy systems, you’re always in a state of having to implement compensating controls to make up for the lack of inherent security built into today’s technology. The least that could be done to help address cybersecurity issues is to keep your systems modern and up to date. Make sure to perform regular maintenance and patching.
As it relates to an approach, you would first assess your environment and understand where and what your business critical systems are. You’d look at these systems and the systems that support these through the lens of risk management. What systems would you need to target first for modernization that would reduce the most significant amount of risk to the business? The modernization of systems and overall architecture is strategic and generally not as easy as a tactical fix or patch.
Q: One-third of federal government agencies reported experiencing a breach in the last year.1 Do you think government agencies are more targeted, more vulnerable, or both?
JC: Both. The lure of government is that you’d have access to a treasure trove of sensitive data that isn’t regularly available. Every type of threat actor is interested in you and what data you have. Then there is the consideration that, if you’re a hacker, what’s a more glamorous target than the government? There is some national branding associated. It’s a pretty appetizing target if you’re into the fame.
The legacy infrastructure leaves the government in a more vulnerable state, making it easier to break into.
Q: The same report1 indicated that federal respondents claimed their insecurity is primarily due to budget constraints and lack of staff. Why are these such prevalent issues in the federal space? How will Trump’s executive order address these issues?
DW: It’s more difficult for the federal space to be well-staffed, because the federal government can’t compete with what the commercial space can offer skilled security personnel in terms of compensation. The government may get really smart people, but they will move on as soon as they get experience because the pay is so much better in the private sector. The budgets just aren’t there to keep skilled talent.
JC: Although I loved the cause and mission of being in the military, I decided to get out after four years because we were getting paid peanuts in comparison to what you would see in the commercial world. The mission of the government was important enough to me that I decided to interview with a few federal organizations, and while they paid better than the military, they were still half the pay of what you would see at regular companies. You have to really love the mission of the government to work for half the pay. That’s a huge problem.
Trump’s order won’t be successful in changing this issue unless it increases budget in this space. The ex-director of the FBI stated that the next war will be based on cyber. It won’t be missiles, it will be cyber-war. Take even a small percentage of the proposed defense budget and put it toward cyber-defense. If you’re not going to fund it, it will be a moot point.
Q: The new executive order on cybersecurity requires department chiefs to adopt the standards laid out in the National Institute of Standards and Technology (NIST) framework. What does this entail?
DW: It’s not really a new requirement. NIST was set up for this purpose, and agencies were supposed to be following it already. However, each agency is self-evaluating. Trump’s order doesn’t really change that. The NIST framework is important for the government to have, but it won’t likely make any large, drastic changes unless it is truly enforced and agencies are held accountable.
JC: NIST has been around for a long time. Some parts of the government probably do this better than most companies.
One thing that is interesting is that the third parties that work for the government are generally less scrutinized than the government itself. In looking at a lot of the recent breaches, it’s not just the government. The OPM breach, for example, was through a private agency that did work for the government. This factor makes it a lot more complex to enforce.
Q: According to the order, heads of agency must coordinate to provide a report to the President within 180 days that includes findings and recommendations for better supporting the cybersecurity risk-management efforts of section 9 entities. What do you conjecture might be included in these findings?
DW: It’s likely these reports will be incomplete (and maybe a little biased). Agencies will tend to protect each other in some ways.
JC: I think Dan is correct. The reason why companies and regulations often say “Thall shall have a third party assess cybersecurity risk” (e.g., pen testing, vulnerability assessment) is that no one wants to air their dirty laundry. Independence removes bias. If you ask agencies to self-assess and write a report, they will likely be biased or incomplete.
That said, it’s a start. Even if the reports are incomplete, if they report anything it’s a place to begin, and if they are held accountable and funded to address risk, it’s a step in the right direction.
Q: Are there any other considerations that you think will be important in the implementation of the cybersecurity executive order?
JC: The one important thing we haven’t talked about is that the government is generally behind the times when it comes to cybersecurity. In his presidency, Obama began to leverage the private sector to bridge the gap of where the government is. This is probably a good direction to move in. I don’t think the government can do it all on its own. They need to include the private sector—and they need to back the order up with funding and accountability.
DW: I think James hit the nail on the head. Without the funding and accountability, it won’t get done. Without the private sector, you won’t have the experts.
That said, there are considerations with including the private sector. There are conflicts of interests that you could bring into the mix. But when we think about the sensitive information available in the data contained within federal agencies, it’s a scary thought. We need to find a better way to protect this critical information.