As promised, President Trump has signed the long-awaited White House Cybersecurity Executive Order that is intended to improve overall digital security for the federal government, as well as provide direction for how public and private groups can measure and collaborate on cybersecurity issues.
The Order is especially important in light of reported flaws in our national cyber infrastructure which have resulted in ominous repercussions for both government officials and the American public. Reports of Russian interference in the 2016 presidential election, and hacking into former Secretary of State Hillary Clinton’s email server are just two high-profile examples of how, and why, cybersecurity needs more thorough policing and guidelines. Especially since the government continues to seek innovative ways to run their IT infrastructure, mostly by moving to the cloud, the potential for vulnerabilities increases all the time.
Timing and politics aside, we think this is a step forward for the security of our federal intellectual property, and American innovation in general. The Cybersecurity Executive Order focuses on three key elements: protection of the United States’ federal networks, upgrade the federal infrastructure, and coordinate better across agencies. It also provides important validation that a cloud-first approach is the best way to manage government technology assets and capabilities.
It’s fitting that there is a mandate for the usage of existing guidelines from National Institute of Standards and Technology (NIST) as the basis for this Order. It is an accepted and vetted set of requirements and conditions that are included within the compliance guidelines of most cloud service providers (CSPs), and when used with complementary security automation solutions, can help to ensure compliance and help with prescriptive remediation. This helps further greater collaboration among public and private organizations who have a vested interest in mitigating risk.
Previously, the Obama administration encouraged the private sector to voluntarily adopt the NIST framework, but it was not required of government agencies. With the Executive Order now directing government agencies to follow the NIST guidelines, they are effectively practicing what they preach, and can hopefully create an infrastructure that has a reduced attack surface and is more resilient.
Department of Homeland Security advisor Tom Bossert voiced support for the Order today when he said, “We spend a lot of time and inordinate money trying to protect antiquated systems. We’ve got to move to the cloud to try to protect ourselves instead of fracturing our security posture.” His assessment is accurate and highlights the sensitive nature of what the Order proposes to protect. And while protection is the goal, ensuring it is going to require a security-first approach to compliance and management of the federal government’s technology and data assets.
In 2011, the sitting U.S. Chief Information Officer, Vivek Kundra published a defining report that recommended moving to the cloud, and emphatically advised that the federal government needs to “… be vigilant to ensure the security and proper management of government information to protect the privacy of citizens and national security.” Kundra, and now Trump, are helping to create an mindset within the government that is both cloud-first, and security-first.
So today we now have what amounts to the defining mandate for decisions about cybersecurity in the government for the foreseeable future. It embraces change and innovation, and also recognizes that major responsibilities come with the agile and dynamic attributes of operating in the cloud. To keep pace with this change will require constant vigilance and attention, so government agencies will need solutions that will enable them to maintain the highest degree of security while still taking advantage of new ways of doing business.
As we look closely at the Order (and take into consideration the cybersecurity skills gap that we have in the United States), it’s clear that federal agencies will need automated, continuous security monitoring of their cloud environments. The requirements are made very clear, and to be compliant, all agencies will be required to acquire tools and capabilities to protect their workloads and data, and the digital footprint that impacts U.S. citizens more than ever before.
With this Order, we hope to see federal agencies quickly get the resources needed to deliver on better cybersecurity. Doing so will meet the President’s demands, but more importantly, it will create a more secure operating environment for the government’s technology infrastructure. As a nation, we won’t make progress if they don’t have access to the people and tools they need to achieve and maintain better cybersecurity.