President Trump signed an Executive Order on May 11th aimed at strengthening the nation’s cyber security and protecting federal networks and critical infrastructure (Cyber EO).
Reaction to the President’s Executive Order (EO) by cyber professionals has largely been positive as the key components of the EO extend beyond the policies of previous presidential administrations.
Israel Martinez, a member of the HMG Strategy Network and Chairman, Global Manufacturing ISAO & CEO, Axon Global, was briefed on the President’s Executive Order on May 12th along with Dr. Richard Schroth, another member of the HMG Strategy Network, Founder and President of Executive Insights, Ltd. and Co-Executive Director at the Kogod Center for Cyber Governance at American University, and by the team charged with implementing the Cyber EO: Jeanette Manfra, Acting Deputy Secretary of the U.S. Department of Homeland Security (DHS); Thomas McDermott , Acting Deputy Assistant Secretary for Cyber Policy, DHS; and Bob Kolasky, Acting Deputy Under Secretary for National Protection and Programs Directorate, DHS.
The Executive Order covers three sections: “Cybersecurity of Federal Networks”; “Cybersecurity of Critical Infrastructure”; and “Cybersecurity for the Nation.” Martinez and Dr. Schroth share their insights on the key takeaways for each of the three sections as well as the implications for private-sector CISOs.
Cybersecurity of Federal Networks
“We were glad to see that months of hard work successfully manifested in a focus on cyber risk management which was pervasive throughout the Cyber EO,” said Martinez. “What this means is that after months of feedback from HMG Strategy members and months of working with select transition team members as well as 100-day Transition Team members, we’ve shifted the dialogue from a technology focus to a risk-management focus, including risk mitigation strategies.”
Dr. Schroth commented, “In the private sector, the shift for CISOs will mean a more clearly-defined opportunity for who and how the 'corporate' appetite for risk is determined, eventually leading to policies that provide better guidance for the entire enterprise. The critical aspect of this narrative will create the opportunity for more collaborative decisions on risk from the Board to the General Counsel to the CISO.”
The spotlight on cyber risk management also sets the tone for accountability. For instance, the Executive Order spells out in no uncertain terms that the secretary for each federal agency will be accountable for any breaches incurred. It’s expected that will extend into the private sector, while removing regulation which is largely ineffective.
Martinez reviewed President Obama’s 2013 Executive Order on Cyber Security and points to how the language has shifted from a technology focus on sharing threat information to risk management, which encompasses a multi-disciplinarian approach. President Trump’s Executive Order details how “Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources.”
“This is a multi-disciplinary approach that the HMG Strategy platform has been pushing into the Administration. Our voices were heard,” said Martinez.
“This is also the first time we see a Presidential Administration correcting a culture of denial, by admitting that there are 'known vulnerabilities' as well as unknown compromises that are not detected or mitigated,” said Martinez.
Key takeaways for CIOs and CISOs in this section of the Executive Order include how information security leaders are grappling not only with cyber crime but are targets in a global cyber economic warfare campaign, said Martinez. This requires government agency leaders, CIOs and CISOs to cooperate and shift strategies from defense to proactive defense and selective offense by incorporating the use of cyber counter-intelligence.
“That’s a bit scary for business people, especially general counsel, but changes in policy and law are moving toward meaningful consequences for threat actors and release of liability for companies that are in a position to selectively defend themselves,” said both Martinez and Dr. Schroth. Schroth added that “we still have a long way to go relative to the quality and quantity of information sharing, but it’s inevitable that information sharing will continue to find a more robust pathway at all levels.”
Meanwhile, shifting the premise from cyber crime such as theft of property to cyber warfare with threats intended to meaningfully impact operation has board-level implications. For instance, in Directors & Officers (D&O) liability insurance policies, there’s typically a sizable premium attached to any coverage related to acts of terrorism or war, Martinez and Dr. Schroth noted.
In addition to risk management, another keyword that’s highlighted in the Executive Order is resiliency. This implies a shift from pure incident response to include innovative recovery planning with integrated disaster recovery models between technology and operations. This is a new paradigm for Chief Risk Officers and other decision-makers in government, said Martinez.
“Cyber resiliency can range from something similar to 9/11, to the Dyn DDoS attack, each being unforeseen events, so whatever you planned for disaster recovery (DR) goes out the window,” said Martinez. “Cyber attacks are increasingly impacting operations, so we have to think differently and update the old playbooks regarding DR. Cyber warfare DR is much different from DR due to acts of nature. Most of those playbooks haven’t been developed yet.”
There’s also greater emphasis on architecture in this Executive Order than in previous federal policies. Martinez and Schroth believe that government agencies and companies in the private sector will need to address infrastructure protection strategically, incorporating emerging technologies such as blockchain and artificial intelligence for improved detection and attribution capabilities.
“The problem we’re facing today is the result of poor architecture. Until we lift and shift to a new paradigm, these problems will persist,” said Martinez.
Cybersecurity of Critical Infrastructure
One of the key differences in President Trump’s Executive Order is the renewed focus on critical infrastructure, section 9 entities, and their supply chains, including private sector.
The Cyber EO emphasizes the importance of supporting transparency about cyber reporting in the marketplace. The EO specifies an examination of “the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days of the date of this order.” This could lead to new guidance by the SEC regarding reporting security risks in quarterly 10-K statements.
For instance, Martinez points to how Home Depot recently agreed in a shareholder lawsuit settlement that it would take certain steps to effectuate cyber security, including the use of a third party provider to monitor the Deep Web Darknet and report back whether bad actors have already dumped compromised data. This is an example of proactive defense.
In addition, the Executive Order outlines how the Secretary of Commerce and the Secretary of Homeland Security “shall jointly lead an open and transparent process” to identify and promote action to reduce threats perpetrated by botnets.
“Botnet-directed distributed denial of service (DDoS) attacks, such as the Mirai IoT botnet attack against Dyn in October 2016, are one of the top 3 threat vectors we must resolve as IoT devices explode into the marketplace,” said Martinez. “As of today, there is no comprehensive solution in place for this type of attack.”
Cybersecurity for the Nation
One of the key differences in President Trump’s Executive Order is an emphasis on deterrence and protection. During the briefing, noted Martinez, it was clear there is intent to bring consequences to threat actors.
“That’s a much different approach than with previous administrations and it’s a big win,” Martinez said.
Among the priorities that are cited in the Executive Order is greater emphasis on attack attribution, incident response, building greater capacity in the nation’s infrastructure, and cooperation.
Martinez points to how the Department for Homeland Security recently formed a cybersecurity partnership with Japan to deepen cyber information sharing.
“It makes sense that we should be systematically sharing threat information with each other even faster than bad actors share with each other. We in the private sector should be driving that,” said Martinez.
While the Executive Order addresses the need to support the growth and sustainment of the cyber workforce, Martinez and Dr. Schroth indicated they both would have liked to have seen greater emphasis on the use of automation to aid in cyber security detection and response, including the use of artificial intelligence (AI). They point to how Amazon recently acquired an AI security company - harvest.ai - and how Amazon is experimenting with ways to use AI to defend the network.
“That is the way of the future,” said Martinez. “Today, we’re largely using defensive tactics against a global strategic assault against the business environment. We must innovate our responses at a pace faster that the threats or we lose.”
What’s not Addressed in the Executive Order
In the opinions of Martinez and Dr. Schroth, there are still a number of questions that must be addressed during 2017 and 2018 in further support of the Executive Order. Below are a few of those topics:
EU and GDPR: What will be the official federal position towards the EU’s committed adherence to GDPR (the General Data Protection Regulation)?
Governance: What actions will the Federal Government pursue, for corporate and non-profit boards, private equity, and others responsible for the governance and financial well-being of the public trust, to protect the fiduciary stability caused by cyber risk?
Global information sharing: Will the administration strengthen global information sharing capabilities and will those be shaped by civilian or defense-related agencies?