In early May 2017, the latest draft of the President’s Executive Order (EO) “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” was leaked.  Earlier versions of the EO have also been leaked, one in January 2017 and published by the Washington Post and a revised version in February published by Lawfare Blog.

Consistent in the earlier versions are the necessity of government agencies to leverage the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity for assistance in implementing a cyber risk management approach when conducting a self-assessment, and capturing results in a finalized report.  There was criticism that this initial EO draft was more of a token than actually addressing the larger problem of safeguarding important networks.  The second iteration appeared an improvement over the first, and as one review stated, placed more emphasis on the preparation of federal organizations to address cyber threats, providing more specific recommendations.

The current iteration shows a continued evolution in cyber security thought development.  Unsurprisingly, each subsequent version has been longer than its predecessor, suggesting that increased effort has been dedicated to identifying more applicable guidance rather than concealing specifics, and perhaps uncertainty, beneath the ambiguity that accompanies strategic language.  For example, the May 2017 document provides clear steps an agency should take when implementing the NIST framework including the documentation of risk mitigation and acceptance choices; the strategic, operational, and budgetary considerations that informed those choices; and the action plan designed to implement the framework. 

 Compelling agencies to leverage the NIST framework is positive as it provides explicit guidance for federal agencies.  It not only imparts a structure for federal organizations to manage their cyber risk, but it also affords uniformity and consistency, bringing all relevant stakeholders under the same security umbrella.  Whereas in the past, each agency was responsible for its own security, the way they went about and accomplished this task varied.  Now, while responsibility will still rest with each agency, the manner in which it will be executed will be more congruent.

 

In addition, adherence to implementing cyber risk management across the federal digital domain is refreshing in that it accepts the realities of today’s complex cyber threat environment.  Forcing agencies to identify critical information and networks and conduct rigorous cyber security self-assessments forces them to make difficult but important decisions in the types of risk that they are willing and unwilling to accept.  This in turn puts the onus of cyber security not just squarely in the laps of the IT department, but on the head of the agency who will be responsible for the such decisions, and ultimately, be held accountable for them.

 Another important addition to the recent iteration is the focus on workforce development.  Recently, there have been several articles highlighting the dearth of cyber security professionals in the marketplace and the difficulties that can impose on both public and private organizations.  This problem is global; one report found that the global cyber security workforce will have more than 1.5 million unfilled positions by 2020.  The latest version of the EO directs domestic and international reviews of cyber security workforce to better gauge the U.S. position with regards to its standing in the global community.  Although nothing in the EO provides a blueprint of action items to improve this situation, having assessments is a critical first step in identifying areas of improvement, and in turn, helping to develop the sustainment and growth in this area.

 

Of note, one key inclusion in this latest EO iteration is the direction of the Director of National Intelligence to undertake a similar review of the workforce development efforts of foreign cyber peers in order to understand how their progress could impact the long-term competitiveness of U.S. cyber security.  In this way, the EO intimates that it is not enough to understand the United States’ cyber security posture, but it’s imperative to measure how it compares to the rest of the world including allies, adversaries, and friendly nations.  Undistorted self-awareness is at its most beneficial when it’s placed in a larger context.  Give the interconnected nature of cyberspace, knowing how others stand in relation to the U.S. is essential to informed decision making.

 

While this EO was intended to be signed in January 2017, the postponement has allowed the White House to invest much needed time and effort in identifying those critical areas that need to be immediately addressed.  More important, it provides specific courses of action to be taken, and identifies and empowers those agency leaders whose responsibility is to steward these endeavors.  Ultimately, the EO has benefitted from not rushing to publication despite great anticipation.  Cyber security, especially at the government level, needs more pragmatic and deliberate approaches for improvement.  As there have been many missteps in trying to address the challenges posed by cyberspace in the past, taking the time to do it better instead of quickly is a welcome and needed change.

This is a guest post written by Emilio Iasiello.

UK’s Digital Strategy – Future Model or Another Thought Piece?

First announced in 2015, the United Kingdom (UK) finally published its Digital Strategy that went into effect on March 1, 2017.  Per the government’s website, the goal of this document is to provide a blueprint how the UK will build on its success to date in developing a world-leading digital economy that works for the greater good.  This is particularly important given that the UK is a global capital for financial technology, which generated £6.6bn of revenue in 2015.

Continue reading

3 non-technical positions in high demand in the cybersecurity industry

We keep hearing about the widening skills gap ravaging the Cybersecurity industry. Lack of qualified personnel is slowing its growth and affecting the security level of the customers. But most people outside the industry see these statistics and shrug. The cybersecurity industry is perceived as a very small, elitist segment of the tech market. Even to point of it being a niche industry.

Continue reading

Tallinn 2.0 May Be More Useful Than Its Predecessor

In early February 2017, Tallinn Manual 2.0 was published by Cambridge University Press.  Led by the NATO Cooperative Cyber Defence Centre of Excellence, publication of the initial Tallinn Manual occurred in 2013 and focused on the applicability of international law to conventional state-authorized and operated cyber warfare.  Authored by a group of international law experts, the recent follow-up focuses on a full spectrum of international law as applicable to cyber operations conducted by and directed against nation states, ranging from peacetime legal regimes to the law of armed conflict.

Continue reading

RSAC 2017- more of the same, but some interesting trends emerge

RSAC 2017 is behind us. It has been bigger, noisier and more crowded than any cybersecurity event in history. It’s so big, it’s overwhelming. And if you consider the off-site meetings, mini-conferences, meetups and parties you can forgive an average visitor if he or she feels kind of fuzzy afterward. Vendors don’t have it easy, either. With more than 700 companies and organizations presenting, trying to stand out or simply gauge the competition is extremely difficult.

Continue reading

The Cyber Coordinator: Let the Dog Bite

Former New York Mayor Rudy Giuliani has been tapped to be the President’s new “cyber security czar.”  The appointment has been met with trepidation among those in the information security business who point out Mr. Giuliani’s lack of expertise in anything cyber-related, despite being Chair of the Cybersecurity, Privacy and Crisis Management Practice at a Miami-based law firm and advising companies on information security since 2002.  In fact, critics cite recent reporting revealing that passwords used by Giuliani and 13 other top staff members have been leaked in mass breaches of websites like LinkedIn, MySpace, and others between 2012 and 2016.

Continue reading

Israeli cybersecurity industry- looking back at 2016

Israel is a major force in cybersecurity innovation and development, and Israeli cybersecurity companies are at the forefront of technology, rubbing shoulders with global industry giants. In fact, according to CyberDB data-bank, Israel has the second largest amount of cybersecurity companies in the world, second only to the US. In terms of actual sales Israel cybersecurity exports account for anything between 5-10% of the global cybersecurity market , an amazing figure given Israel’s miniscule size and small population.

Continue reading