In early May 2017, the latest draft of the President’s Executive Order (EO) “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” was leaked. Earlier versions of the EO have also been leaked, one in January 2017 and published by the Washington Post and a revised version in February published by Lawfare Blog.
Consistent in the earlier versions are the necessity of government agencies to leverage the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity for assistance in implementing a cyber risk management approach when conducting a self-assessment, and capturing results in a finalized report. There was criticism that this initial EO draft was more of a token than actually addressing the larger problem of safeguarding important networks. The second iteration appeared an improvement over the first, and as one review stated, placed more emphasis on the preparation of federal organizations to address cyber threats, providing more specific recommendations.
The current iteration shows a continued evolution in cyber security thought development. Unsurprisingly, each subsequent version has been longer than its predecessor, suggesting that increased effort has been dedicated to identifying more applicable guidance rather than concealing specifics, and perhaps uncertainty, beneath the ambiguity that accompanies strategic language. For example, the May 2017 document provides clear steps an agency should take when implementing the NIST framework including the documentation of risk mitigation and acceptance choices; the strategic, operational, and budgetary considerations that informed those choices; and the action plan designed to implement the framework.
Compelling agencies to leverage the NIST framework is positive as it provides explicit guidance for federal agencies. It not only imparts a structure for federal organizations to manage their cyber risk, but it also affords uniformity and consistency, bringing all relevant stakeholders under the same security umbrella. Whereas in the past, each agency was responsible for its own security, the way they went about and accomplished this task varied. Now, while responsibility will still rest with each agency, the manner in which it will be executed will be more congruent.
In addition, adherence to implementing cyber risk management across the federal digital domain is refreshing in that it accepts the realities of today’s complex cyber threat environment. Forcing agencies to identify critical information and networks and conduct rigorous cyber security self-assessments forces them to make difficult but important decisions in the types of risk that they are willing and unwilling to accept. This in turn puts the onus of cyber security not just squarely in the laps of the IT department, but on the head of the agency who will be responsible for the such decisions, and ultimately, be held accountable for them.
Another important addition to the recent iteration is the focus on workforce development. Recently, there have been several articles highlighting the dearth of cyber security professionals in the marketplace and the difficulties that can impose on both public and private organizations. This problem is global; one report found that the global cyber security workforce will have more than 1.5 million unfilled positions by 2020. The latest version of the EO directs domestic and international reviews of cyber security workforce to better gauge the U.S. position with regards to its standing in the global community. Although nothing in the EO provides a blueprint of action items to improve this situation, having assessments is a critical first step in identifying areas of improvement, and in turn, helping to develop the sustainment and growth in this area.
Of note, one key inclusion in this latest EO iteration is the direction of the Director of National Intelligence to undertake a similar review of the workforce development efforts of foreign cyber peers in order to understand how their progress could impact the long-term competitiveness of U.S. cyber security. In this way, the EO intimates that it is not enough to understand the United States’ cyber security posture, but it’s imperative to measure how it compares to the rest of the world including allies, adversaries, and friendly nations. Undistorted self-awareness is at its most beneficial when it’s placed in a larger context. Give the interconnected nature of cyberspace, knowing how others stand in relation to the U.S. is essential to informed decision making.
While this EO was intended to be signed in January 2017, the postponement has allowed the White House to invest much needed time and effort in identifying those critical areas that need to be immediately addressed. More important, it provides specific courses of action to be taken, and identifies and empowers those agency leaders whose responsibility is to steward these endeavors. Ultimately, the EO has benefitted from not rushing to publication despite great anticipation. Cyber security, especially at the government level, needs more pragmatic and deliberate approaches for improvement. As there have been many missteps in trying to address the challenges posed by cyberspace in the past, taking the time to do it better instead of quickly is a welcome and needed change.
This is a guest post written by Emilio Iasiello.