Trump’s efforts to address national cybersecurity should be applauded

Blueprint provides impetus to defend critical infrastructure, expand cyber work force

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Last May, the White House issued a cyber­se­cu­ri­ty exec­u­tive order (EO)—the Trump administration’s first major action on cyber pol­i­cy. It has attract­ed naysay­ers. The fact is, how­ev­er, that the pres­i­dent has final­ly plugged a huge hole by putting in place a guid­ing strat­e­gy for our nation’s cyber defense.

And his sug­ges­tions are solid.

Relat­ed arti­cle: Trump’s cyber­se­cu­ri­ty order calls for work force development

The order charges the gov­ern­ment with review­ing its cyber pos­ture and places respon­si­bil­i­ty for cyber risk on those offi­cials who lead fed­er­al agen­cies, such as the Depart­ments of Home­land Secu­ri­ty and Defense. They must pro­vide reports this month based on the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy frame­work, the de fac­to stan­dard. And broad­er reports on issues impact­ing our nation’s crit­i­cal infra­struc­ture, such as our elec­tric grid, must be com­plet­ed in the next three months.

The EO also cat­alyzes an effort to dri­ve a much big­ger and bet­ter-edu­cat­ed cyber work force—one woe­ful­ly small in com­par­i­son to demand.

Ulti­mate­ly, the admin­is­tra­tion is set­ting the stage to secure porous fed­er­al net­works that have been repeat­ed­ly infil­trat­ed by nation-states such as Chi­na and Rus­sia, and nobody refutes this must stop.

Widen­ing the secu­ri­ty net

One par­tic­u­lar­ly appeal­ing aspect of the president’s EO is that it sup­ports the con­cept of mak­ing secu­ri­ty everybody’s busi­ness. To this end, it requires gov­ern­ment agen­cies to estab­lish inte­grat­ed teams of senior exec­u­tives across IT, secu­ri­ty, bud­get­ing, law and pri­va­cy, among oth­er areas.

Cyber­se­cu­ri­ty prob­lems can­not be solved by a CISO or CIO alone. It requires a team effort. This is an oppor­tu­ni­ty for gov­ern­ment CISOs to ral­ly agency troops to improve cyber­se­cu­ri­ty with a mind-set of con­tin­u­ous compliance.

Putting dol­lar fig­ure on exposure

Trump’s EO also address­es the ten­den­cy among fed­er­al agencies—not to men­tion pri­vate enterprises—toward iner­tia. Today, insuf­fi­cient atten­tion is paid, for exam­ple, to the risk asso­ci­at­ed with the inabil­i­ty to patch an out­dat­ed oper­at­ing sys­tem or appli­ca­tion. To address this, the EO pro­motes assess­ing the cost of exposed IT infra­struc­ture against the cost of replacement.

And then, of course, there is the focus on the cyber work force issue. Giv­en pro­jec­tions of a glob­al short­age of 2 mil­lion cyber­se­cu­ri­ty pro­fes­sion­als by 2019, the pro­mo­tion of cyber train­ing is clear­ly ben­e­fi­cial. It also would be nice if an imme­di­ate plan to accom­plish this end were put in place.

Bak­ing secu­ri­ty into design

Anoth­er need­ed step—although unad­dressed, so far—is the need to embed cyber­se­cu­ri­ty into sys­tem archi­tec­ture and design to sub­stan­tial­ly enhance pro­tec­tion. Obvi­ous­ly, this will not hap­pen overnight. The cost of replac­ing today’s sys­tems with bet­ter-pro­tect­ed sys­tems is mas­sive. Nonethe­less, an effort needs to start, and in the inter­im there are ways to enhance secu­ri­ty beyond spe­cif­ic cyber­se­cu­ri­ty prod­ucts and services.

Under­writ­ers Lab­o­ra­to­ries has a Cyber­se­cu­ri­ty Assur­ance Pro­gram (CAP), for exam­ple, that uses a new set of stan­dards to test net­work-con­nect­ed prod­ucts for soft­ware vul­ner­a­bil­i­ties. The UL cer­ti­fi­ca­tion is for both ven­dors of Inter­net of Things (IoT) prod­ucts and for buy­ers of prod­ucts who want to mit­i­gate risks.

Part of the val­ue of CAP is that it helps soft­ware and equip­ment mak­ers include all the many patch­es and updates from third par­ties and open-source providers used in an appli­ca­tion or soft­ware prod­uct used with a device. Patch­es don’t always migrate to fin­ished prod­ucts, and this is a cause of secu­ri­ty breaches.

Worth­while first steps

For now, let’s applaud an admin­is­tra­tion that is final­ly doing some­thing proac­tive and com­pre­hen­sive about the omnipresent—and increas­ing­ly menacing—security threat. It doesn’t address every cyber­se­cu­ri­ty nook and cran­ny, but it final­ly pro­vides an over­ar­ch­ing frame­work. It’s an excel­lent start. We’re final­ly mov­ing in the right direction.

More sto­ries relat­ed to improv­ing cybersecurity:
Bridg­ing the gap between gov­ern­ment and Sil­i­con Valley
SMBs need to for­ti­fy their ‘human fire­wall’ with cyber­se­cu­ri­ty training
Secu­ri­ty aware­ness train­ing gets a much-need­ed reboot