The long-awaited Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure from President Donald Trump was signed on May 11, 2017. It is no surprise that it covers a broad range of critical cybersecurity issues from critical infrastructure to defending against botnets.
The order emphasizes five key findings. Two of them are very relevant to a recent survey conducted by BeyondTrust:
- Section 1.b.i: The executive branch has for too long accepted antiquated and difficult-to-defend IT.
- Section 1.b.iv: Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies).
The BeyondTrust Federal Cybersecurity Threat Survey, specifically highlights these two deficiencies and concluded that:
- An overwhelming majority of Federal IT managers (81%) say aging IT infrastructures have a somewhat to extremely large impact on their cybersecurity risk.
- Aging infrastructure isn’t hard to find- 47% of Federal agencies still use Windows XP, driving a third of respondents (35 %) to report that this kind of aging infrastructure had a somewhat to large impact on their ability to affect vulnerability patching.
While it is not uncommon for surveys to identify known deficiencies, it does align very closely with the executive orders and the rampant cybersecurity problems facing the United States Government and critical infrastructure.
To that end, the executive order mandates that each agency will use The Framework for Improving Critical Infrastructure Cybersecurity developed and maintained by NIST (National Institute of Standards and Technology) to manage risk mitigation for the all of the findings. This framework is primarily based on complementary ISO and NIST references and standards that form the foundation for best practices in cybersecurity hygiene. While other references like Cobit, CCS, and ISA are cited for individual categories, ISO and NIST form the backbone that all agencies, and now all critical infrastructure, must follow.
President Trump’s executive order is on par with what the cybersecurity community expected. There are, however, a few sections that everyone should be aware of:
Section 1.C.vi.A: Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.
Government agencies have explored shared services as a path to modernization for years, but resistance to standardization in process and infrastructure has blocked most from implementation. The General Services Administration’s Unified Shared Services Management office now has the backing of this executive order to push this effort forward. However, it will be interesting to see how “preferences” are interpreted in the acquisition process. Outside of low-cost bids that meet the governments requirements, preference is generally not permitted outside of exceptions like minority-owned businesses. I am not sure how a preference to shared procurements will be justified and not challenged under Defense Federal Acquisition Regulations System (DFARS).
Section 2.d: Resilience Against Botnets and Other Automated, Distributed Threats. The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).
This is an acknowledgement that botnets, like Mirai responsible for multiple internet disruptions in 2016, are a real and growing threat. Defenses for these attacks have been slow to adopt. The executive order recognizes the threat and need to secure IoT devices as well.
Section 2.e: Assessment of Electricity Disruption Incident Response Capabilities.
Any power generation and distribution company should take note of this section. It specifically calls out threat identification and incident response. If you have NERC regulatory compliance requirements, it may be time to make sure you have them all covered.
If your agency, company, or military branch has been cited by this executive order, the terms for assessment and planning range from 90 days to 180 days for data collection and formalization of a report and budget.
If you have questions on how to become compliant, BeyondTrust can help. Our privileged access management and vulnerability management solutions can help mitigate many of these risks even if you cannot replace older information technology in a timely fashion. We have mapped our solutions to IS0-27002 and NIST cybersecurity standards for simplification of the requirements, including the Cybersecurity Framework.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.