I recently finished up my read of the President's recent Executive Order on cyber security and wanted to summarize some of my main takeaways. The TLDR though; it's currently aimed at the short term and is very narrowly scoped, which, for an issue as expansive and complex as cyber security is going to require a lot more than this EO calls for.
A few of the positives:
There is a heavy emphasis on the consolidation of IT infrastructure such as email, cloud services, and outsourced services. Less things to manage means there is a greater possibility that the executive branch and agencies can actually track and inventory what exists. It also reduces overall costs (real and opportunity) and attack surface, all of which are net positives. This consolidation will need to be handled carefully though to make sure that shared services have the proper levels of segmentation and access control across agencies.
The EO emphasizes that all Federal agencies should utilize a standardized NIST-provided risk assessment and management framework. Despite the NIST framework relying on ordinal risk scales, it's still an awesome step in the right direction. Using a standardized framework lets all agencies and the Executive branch oversight speak the same language when it comes to risk decisions and should enable simpler apples-to-apples comparisons within and across agencies.
And some of the constructive criticisms:
Ultimately, the EO is heavily skewed towards assessments and risk management plans. This approach, while sufficient in the very short term to get the ball rolling, encourages the mindset that security is a one-time activity that can be delivered as a "project" not as an ongoing capability. This lack of longer term focus is concerning as it keeps us squarely in a reactive state. My recommendation for the administration would be for a follow-on EO to be drafted and delivered that focuses more on developing ongoing, maturity focused (as opposed to checking a box in the NIST 800-53 model) cyber security capabilities within and across Federal agencies. Building resilient and maintainable capabilities over mitigating point-in-time controls will help prevent an ongoing cycle of risk assessment and mitigation efforts that is entirely reactive. I wrote about the problem with point-in-time issue reliance previously here.
The attack surface that the Federal government is (or should be) concerned about spans far beyond Federal agency IT infrastructure focused on in this EO. Critical sectors such as the economy and financial services, healthcare, power grids, telecommunication systems, transportation and more are largely controlled by the private sector. However, these sectors each have a tremendous ability to affect national safety, stability and security. I believe that the Trump administration should continue and build upon the public/private sector information sharing and collaboration efforts set forth by the Obama administration EO. Managing risk across all of these critical sectors requires more than just information sharing or introducing more regulation; it requires that partnerships be developed that are mutually beneficial with information that flows in a push and pull manner. Information in this context could be, but isn't limited to: threat intelligence, methods, or technology. At a systems-level, the benefits and the consequences will affect both the public and private sector, so we are inherently in this fight together.
Ultimately, I'm pleased to see cyber security emerging in recent years as a presidential-level focal point, there is still a lot more that can and should be done however. With how quickly this field changes, we cannot operate in 2-4 year term cycles to improve. I would love the opportunity to engage with the current administration on future cyber security policy direction, this issue is too important for any of us to abstain.