Break my stride
It has been less than a month since U.S. President Trump issued an Executive Order aimed at improving the nation’s cybersecurity defenses. A hot-topic issue on the campaign trail, security industry professionals eagerly anticipated the President’s first move in this area, hoping it would go farther than the previous administration’s plans and recommendations. If recent events prove anything, it’s that the U.S. sorely needs improved prevention, detection, and response on the cybersecurity front.
Widespread security incidents like WannaCry, the DNC and NSA leaks, copious data breaches at U.S. hospitals, and the Shadow Brokers’ promise to sell SWIFT exploit information are all warning signs that things could get worse before they get better unless aggressive and rapid action is taken. Operating under the premise that security is strengthened when everyone is working collectively—public and private sector, cross-industry, and individuals/employees together with security teams—the new Executive Order (EO) is a nod of acknowledgement. But is it an actual step in the right direction?
Nobody gonna slow me down, oh no
“I think it’s quite impressive that there is a ‘Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,’” says Ben Rothke, Principal Security Consultant at Nettitude Group. It’s clear that the nation needs it, but before he, like others in the industry, can get too excited about what’s to come, more actionable information is needed. Reading through the EO—which isn’t terribly time intensive, as it amounts to less than four pages of text—the “devil is in the details,” quips Rothke, of which there are few. In essence, Trump’s plan is to make a plan and generate more reports about how strong or weak certain industry sectors are in their cybersecurity stance. This is not a bad thing, necessarily. You know the old adage, “You can’t manage what you don’t measure”? It certainly applies here. That said, what the security industry needs is more proactive measures to lock down sensitive data and the systems that contain them.
This is not new news either; security practitioners have known for a long time that what it takes to harden against cybercriminals is the laborious work of attending to the security basics. Even at that, skilled, motivated cybercriminals will always be able to find vulnerabilities—software is written and rolled out at lightening speeds (without adequate security QA), shadow IT prevails, technologies run out-of-date, complex production environments can make patching difficult, phishing works, and the list goes on.
This cybersecurity Executive Order will not solve any of that.
However, it’s not all doom and gloom. For one thing, it’s nice to see that others outside of the security space finally recognize the importance of data and systems security measures on critical infrastructure. It wasn’t too long ago that non-security people thought security practitioners were all doomsday preppers for saying, for instance, an attack on the electrical grid was possible. It’s been proven that it’s more than “possible.” Aside from feeling loved and needed, though, this EO, along with the previous one from 2016, proves that our government is willing to put significant resources behind helping organizations stay secure.
I’ve got to keep on movin’
One of the things Rothke finds encouraging about the new EO is “a bigger push towards shared services and an emphasis on the cloud.” While it’s hard to precisely measure the scope of the problem, a 2016 survey of IT and security professionals estimated that 63% of data breaches are “linked directly or indirectly to a third party.” Further, a 2016 Ponemon study found that 73% of respondents feel that “the number of cybersecurity incidents involving third parties is increasing.”
These numbers aren’t surprising; companies’ networks are highly interconnected, organizations’ infrastructures are moving away from “brick and mortar” towards cloud-based data centers and services, and it’s challenging to assess third-party security (though not impossible). Further, organizations, especially those in government, are wary of sharing information related to breaches, vulnerabilities, or even threat intelligence, as they feel it could compromise the organization’s brand and/or provide a competitive advantage if they have an “in” on something no one else knows (that didn’t work too well in the case of the NSA exploit database though, did it).
I’m running and I won’t touch the ground
Regardless, it’s helpful for enterprises—public and private—to hear a “tone from the top” that reflects the potential severity of the issue and the need for information sharing. While understanding the problem and fixing it are two different initiatives, a presidential Executive Order should help ratchet up awareness with CEOs and boards of directors. What would be potent, however, is if data sharing starting (truly) occurring between public and private entities. At present, most of the sharing is unidirectional.
“I’m not sure how much of an impact this will have in the private sector,” says Rothke of the document in its entirety, adding that “the issue is that there is nothing tactical in the EO that can be made actionable.” The goal now should be turning words into action. The fact is, experienced security professionals already know their marching orders; this Executive Order is a “nice to have,” and won’t amount to external help with increased budget, skilled staff, or attention to detail. Those things must continue to be built from within.
Photo Credit: Creative Commons/Gage Skidmore