18 May 2017

Trump’s Cybersecurity EO: Will it be a Small Step or Giant Leap?

Mark Kuhr

With a new round of election hacks in France and large-scale ransomware cyber attacks hitting 70+ countries around the world, it’s clear that cybersecurity has become one of the most important issues of our time. Timely and fittingly, President Trump signed a long-awaited executive order around cybersecurity on Thursday. Many see it as a good first step towards establishing a more securely-operating federal government and protecting the nation and its people.

The executive order’s focus points were spot on and really hit home on a lot of the big issues. Holding executive heads accountable for security, viewing security in terms of risk, and protecting infrastructure deemed “critical” is of utmost importance to the security of the country. Trump also, rightly, addressed the problem of the growing talent gap in the American security industry as well as the need for a deterrence posture against attack and the need to build cooperation internationally with our allies on the cyber front.

This is all a step in the right direction, but agency heads responsible for such actions will need a lot of help and guidance going forward, with a few clear objectives laid out for them in this initial piece of legislation.

Bullet Points of the EO

  1. Secure federal networks
    -Hold executive heads accountable.-Manage cybersecurity risk as an executive branch enterprise, essentially centralizing the risk.
  2. Protect critical infrastructure
    -Identify risks in critical infrastructure, including the internet, electricity, and the defense industrial base.
  3. Build an effective cybersecurity posture for the nation
    -Enable and support the growth and sustainment of the workforce skilled in cybersecurity.
    -Establish a strategic deterrence posture and build international cooperation with our allies (ie: investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation).

A Review

The Good: We have a framework here with many of the key focus points I expected, which signals the importance of the issue to the President. The President is starting to look at security in terms of risk and criticality; he’s holding the right people accountable; and he’s willing to spend money to make it happen. Getting legislation out there signals the federal government will spend money and dedicate resources to an issue like cybersecurity is definitely a good step in the right direction.

The Yet-to-Be Seen: At this stage, the order calls for study and reporting on agencies’ current security risk. While there were no clear strategies laid out, the agency heads – now responsible for their agencies’ security – will need to determine the correct course of action to ensure successful implementation.

The Next Steps: With agency heads responsible for operational security strategy and risk mitigation, my hope is that they will choose to engage the private sector; if public and private sector collaboration comes about from this, it would be a really successful step forward in our country’s cybersecurity posture. I also hope to see some creative, outside the box thinking – like the willingness to explore crowdsourcing as a means to mitigate the talent gap issue. Creative talent resourcing will allow the government to utilize the diverse perspective of hackers who can think like the adversary we are fighting. Engaging in an offensive approach for their security defenses is the most appropriate method to mitigate the cybersecurity risk that they will determine in the coming months.

The Outstanding Questions: Several questions about the framework of Trump’s EO and how the agencies will carry them out remain unanswered… How are they going to determine risk? Once they determine risk, how will they go to work mitigating that risk? Will the money be spent effectively? How are they going to find the talent for a huge undertaking of modernizing the Federal IT systems?

The US is complexly connected in the world's cyber sphere. How will Trump's new EO affect this?

Filling the Gap

Creative, Cost-Effective, and Efficient Solutions

With the immense amount of work to generate an organization’s baseline risk assessment, analysis, and prioritization of effort, agency executives will undoubtedly lean upon the traditional government contractor staff. The Federal government already outsources many functions, and even augments their staff with contract personnel to a high degree. In some cases, contract personnel can cost federal agencies as much as 80% more than federal employees to perform comparable functions.1 Instead, why doesn’t the government look for more innovative and cost-effective solutions from Silicon Valley? The President has been an outspoken critic of Washington, and as such he should encourage agencies to look beyond their current GSA schedule listings of vendors.

Although I will shamelessly plug Synack as we can provide a trusted researcher network for risk identification and exploitation intelligence in a crowdsourced (rather than contractor staff) model, we are by far not the only solution necessary to resolve this complex problem. Silicon Valley is filled with a myriad of security companies that can help the government but routinely become discouraged due to the bureaucracy. To spur further public-private sector collaboration, I would encourage the President to push for reform of the government’s antiquated acquisition processes to allow agency heads to leverage the best and most effective solutions on the market outside of DC.

As President Trump has proven to be an outspoken advocate of the private sector and often unconventional in his methods, hopefully this administration is willing to think outside the box and partner with private companies to help carry out the goals of his new EO. One such solution we’ve already seen in private-public collaboration is the use of Einstein which has offered cyber threat mitigation to US federal civilian agencies. Einstein utilizes a mix of private and public threat indicators to detect malicious web traffic and then also prevents that malicious traffic from harming networks.

Criminal hackers make little, if any, distinction between public and private sector: the attacks we face and the war we’re fighting are essentially the same. Segmented defense strategies always leave behind holes that could have been filled if forces were combined. Where the private sector is strong in efficiency, innovation, and capturing strong talent, the public sector is strong in intel, information collection, and sheer size. Government needs to help the private sector deal with nation-state threats and vice-versa. Creative and effective solutions can be utilized to combat the world’s growing cybersecurity problems if public and private join forces.

1 Project on Government Oversight, 2013. http://www.pogo.org/our-work/letters/2013/20130415-feds-vs-contractors-cost-comparison.html