On the campaign trail last year candidate Donald Trump vowed to make U.S. federal IT systems “as secure as modern technology permits.”
But President Trump’s executive order on Thursday of a review of all government systems and critical infrastructure set a goal that infosc pros will appreciate because it speaks their language: Risk management.
“The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises,” the order reads.
“Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents.”
What the sometimes bombastic Trump didn’t do was set an impossible goal like “make sure systems can’t ever be breached” – a target which IT pros gave up over a decade ago.
Just in case public servants didn’t get the message, the order also specifies that “effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.”
Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data, the order says.
The order demands every agency head to provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days detailing the risk mitigation and acceptance choices made by each agency, as well as an action plan to implement the U.S. National Institute of Standards and Technology (NIST) cyber security management framework if they haven’t already done so.
Senior officials then have 60 days to review the risk mitigation plans and report to the President. These plans may in whole or in part be classified, so there’s no promise they will be made public.
The document fulfills a Trump promise to order a full review of U.S. cyber security capabilities. In 2013 the Harper government announced an action plan to implement a previously announced federal cyber security strategy to better secure government IT systems and critical infrastructure. The Trudeau government is now preparing to update that strategy.
There are two other interesting pieces in the order:
–It warns bureaucrats in a document signed by the President of something all IT pros should know:
“Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.”
In other words, move fast on getting the basics right.
–As part of their review of IT services, bureaucrats should think first about shared services: “Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.”
Within the next 90 days officials are to report to the President on the possibility of shifting all or parts of some agencies to one or more consolidated network architectures and to shared IT services.
For that bureaucrats might want to call Ottawa for a few lessons on how the idea is working here. Industry analysts say there’s a lot of logic in shared services, but like any project how you do it is key.
Shared Services Canada has taken over IT services for most federal departments by merging data centres, mandating one email service and contracting for a single communications network for the bulk of the government. However, it is reported to be a year behind schedule on at least one part of the centralization and over budget. In addition at one point last year the RCMP reportedly was so frustrated with performance it refused to give Shared Services Canada any more control over the Mounties’ information technologies.
Trump’s executive order also orders the government to improve Internet security.
The Secretaries of Commerce and Homeland Security will jointly lead “an open and transparent process” – perhaps with public meetings – to identify and promote action to improve the resilience of the Internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks, such as botnets.
The two officials are to make public a preliminary report within 240 days and a final report to the president a year from now.
On critical infrastructure senior officials are to report within 90 days on the possibility of a prolonged power outage from a significant cyber incident and what to do about it. Also within 90 days senior officials are to report on cybers risks and recommended mitigations to U.S. defence manufacturers and military platforms.
Also within three months senior officials are to report to the President on “the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”
And by the fall officials are to recommend a strategy for international co-operation in cybersecurity. following calls from Israel and a Microsoft official.
There were mixed responses to the order, with one in the IT industry complaining that it was “mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country needs to address its most pressing cyber threats.” However, another praised the focus on updating or replacing outdated government computer systems, but said it would be “a monumental task,” given U.S. budget constraints.