President Trump finally signed an executive order (EO) on cybersecurity. It appears to be receiving mostly positive reviews from security professionals but there is plenty of room to grow.
According to Reuters, the EO on cybersecurity:
seeks to improve the often-maligned network security of U.S. government agencies, from which foreign governments and other hackers have pilfered millions of personal records and other forms of sensitive data in recent years.
The EO dictates that federal agencies are required to use the framework developed by National Institute of Standards and Technology, known as “The Framework for Improving Critical Infrastructure Cybersecurity” to manage cybersecurity risks.
As we know, cybersecurity has been a mess in the federal government. I’m hard-pressed to find an agency that didn’t experience some type of security incident, and I’m sure many of you reading this were affected by the Office of Personnel Management breach (as was I). Executive and Congressional leadership has lagged on its response to security issues, and for those reasons, I applaud President Trump for stepping up to do something. I hope the delays that kept the EO from being signed weeks ago as planned were in order to make it better.
I’m not the only one who thinks this is a good step forward. Steve Grobman, senior vice president and CTO with McAfee, provided this statement to me via email:
Getting the government’s own cyber house in order is job one, and holding agency and department heads accountable is key. This is no different than the paradigm we see in corporate organizations where, although the CEO is not a cybersecurity expert, he or she is ultimately responsible for implementing a cybersecurity plan that mitigates risk to the business. Additionally, we’re pleased the order takes on the challenge of IT modernization, which must go hand-in-hand with securing federal systems. Trying to implement security on old, often obsolete technology is both difficult and expensive, and with limited IT talent available would be throwing good money after bad. Modernizing and securing government systems and networks are dual priorities that should have equal weight and are both long overdue; we welcome the Administration’s focus on both.
Like I said, however, this is a good start. We need to keep going forward, and as Michael Patterson, CEO of Plixer, told me in an email comment, while the EO highlights the need for security improvements, it is still lacking. Citing the various breaches on agencies like OPM and the IRS, Patterson added:
There is no silver bullet, but the order needs to go further and require government agencies to have forensic incident response systems in place that can remediate cyber challenges as quickly as possible. With the amount of attacks that government agencies incur every day, it is not a matter of if, but when, hackers will be successful. The key is to be alerted and respond as quickly as possible.
Our cybersecurity problems didn’t evolve overnight, nor will they be fixed with one EO. Time will tell how effective this is and how the administration builds on what it has begun.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba