Calling Government Agencies to Action on Strengthening Cybersecurity and Preventing Breaches
The Need for a Better Way: Protecting the U.S. Government from Vulnerabilities with a New Cybersecurity Executive Order
It’s well known that the federal government possesses highly sensitive data and limited resources to protect it. It seems like there’s a new major breach practically every week, whether it’s a corporation, government agency, etc. Things took a turn for the worst after the infamous hack on the Office of Personnel Management in 2014, reported by USA Today. Suspected to be executed by China, the hack exposed personal records of millions of former and current government workers, most of which hold security clearances and was one of the most substantial cyberattacks in U.S. history.
“You can’t pick up a newspaper without reading about a breach, or some sort of threat or vulnerability. It’s a chronic problem, and after what happened at OPM, the general consensus seems to be that cyber threats targeting the U.S. government are now out of control.”
-Ron Flax, CTO at August Schell
Post-OPM, the U.S. government has made cybersecurity an even greater priority, but despite heightened efforts, the threat landscape is still risky and virulent. According to the 2017 Thales Data Threat Report, Federal Government Edition:
- 34% of federal agencies experienced a data breach in the last year.
- 65% experienced a data breach at some point in the past.
- 96% of agencies reported that they considered themselves “vulnerable” to cyberattacks. 48% said they were “very” or “extremely” vulnerable.
Given the clear and present need to raise protections of the U.S. in cyberspace, the Trump administration has issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which states what the White House believes policies should be, and who should be in charge.
“Essentially, it’s about calling out responsible parties for the bulk of the government, which is primarily Homeland Security and their agencies—they report to the Directors of OMB and GSA. For national security, the responsible party is the Secretary of Defense and the Director of National Intelligence,” Ron Flax, CTO at August Schell explained. “It’s split between those two parties, so for anything that’s national security-related, leadership is with the Secretary of Defense and National Intelligence. For everyone else, leadership is with Homeland Security, OMB, and GSA. Then there’s the department heads, and the agency department heads are ultimately responsible for the cybersecurity posture of their respective agency or organization. The EO doesn’t call out specific products or technologies, but they do say that technology plays a big part, that many of our systems are out of date, inadequate, unpatched, and the like, so they’re calling upon agency heads and essentially saying, ‘get your act together’.”
A quick summary of the EO, reported by Lawfare:
- Section 1: Cybersecurity of Federal Networks
- Requires agency heads to be guided by the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
- Directs agency heads to produce a report within 90 days documenting “risk mitigation and acceptance choices made by each agency head as of the date.”
- Declares it “the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.”
- Section 2: Cybersecurity of Critical Infrastructure
- Directs agency heads to classify authorities and mechanisms through which agencies can better support cybersecurity efforts of critical infrastructure.
- Mandates investigation and reporting by numerous agencies on federal policies.
- Section 3: Cybersecurity for the Nation
- Addresses consumer cybersecurity to foster a secure internet and enable the growth of a cybersecurity-trained workforce.
Responding to the EO: What Will Change, and How Soon?
Beyond their initial response, agencies are on the hook for responding to the EO annually. Ultimately, it seems like the beginning objective is to raise the level of awareness around cybersecurity within the government and put agency heads on formal notice that they’re going to be responsible.
NIST is a major component; they publish the guidelines that the rest of the government should consider and apply, and define requirements for best practices around standing up and configuring data centers, as well as configuring and protecting the networks used by these data centers. The government has already subscribed to these standards, but now that it’s a formal requirement, keeping pace with their best practices, as well as DISA STIGS, at the very least establishes a baseline for achieving and maintaining the strongest possible security posture.
At present, the Trump administration’s Cybersecurity Executive Order is in its beginning stages, so it may take some time before there’s significant funding behind it. In the meantime, beyond following common criteria for cybersecurity best practices throughout the federal government, agencies can seek help through reputable cybersecurity partners who have the expertise to advise on enhancing protections.
In addition, federal agencies should consider accelerating the process of adopting a cloud strategy in alignment with FedRAMP (Federal Risk and Authorization Management Program), a certification process for federal agency-specific cloud computing, to respond to the EO. AWS GovCloud, for example, is a FedRAMP-certified public cloud. Shifting computing capabilities to the cloud is a mandated component of the EO, so the sooner solutions are explored, the better.
Federal Cybersecurity With ASE: We’re Here for Agencies
August Schell understands that federal agencies are in a precarious position given the bounds they’re in to protect what they have. There may be deficiencies in the configuration of networks and environments, and agency resources available to solve this problem are not adequate. Plus, malicious actors will press on, and seem to have limitless resources to achieve their goals while the government’s resources are restricted—we understand that it’s not a favorable equation.
August Schell works side-by-side with federal agencies to design, deploy, and optimize security postures. We have an enterprise management and monitoring services practice designed to address many of these challenges. If your agency needs assistance with making cybersecurity changes based on the EO, or would like to learn more about how you can optimize your internal resources by seeking help, get in touch with an August Schell specialist, or call us at (301)-838-9470.