Understanding the Executive Order on Strengthening the CyberSecurity of Federal Networks and Critical Infrastructure: Q&A with Trevor Rudolph
On May 11, 2017, President Trump signed an Executive Order on Strengthening the CyberSecurity of Federal Networks and Critical Infrastructure. We sat down with our Chief Operating Officer (COO), Trevor Rudolph for a Q&A to gain a better understanding of what the Executive Order means and its implications for government and industry.
Q&A with Mr. Trevor Rudolph
What is the overarching goal of this Executive Order?
The overarching goal of the Executive Order is to help establish a foundation for President Trump's CyberSecurity strategy - a strategy that should ultimately address both government and industry CyberSecurity risks and capabilities to ensure we are protected from this serious threat.
Who does this Executive Order impact?
This Executive Order impacts a variety of groups with a heavy focus on the Federal government, to include civilian agencies, the Department of Defense (DoD), and the Intelligence Community. Agencies are now required to submit to the White House risk management plans to articulate how they have identified and protected their most sensitive assets in a true risk-aware manner. It also calls on the military to assess its capabilities to withstand attacks from adversaries and to execute offensive capabilities, when appropriate. The Executive Order also highlights risks impacting the Defense Industrial Base (DIB) and Energy sectors, which is particularly important because any catastrophic cyber attack will likely impact one or both of these sectors.
As for who was left out of the Executive Order, it's troubling to me that Small and Midsize Businesses (SMBs) are not referenced at all. There have been discussions of upcoming legislation, like the MAINSTREET Cybersecurity Act, that could assist SMBs in managing cyber risk, but it doesn't appear that the Administration has made the mid-market a particular focus of their strategy. I personally find this troubling because SMBs make up a majority of the American economy yet they generally lack the technical sophistication and resources to address CyberSecurity risk.
What are the key takeaways?
The Executive Order is logical and sound. It builds on a number of positive developments from the previous two administrations' CyberSecurity strategies with a heavy emphasis on risk management versus compliance regimes. The Executive Order mandates Federal adoption of the NIST CyberSecurity Framework, which is positive development as it will encourage leadership to play an active role in managing CyberSecurity risk in terms they can understand. I also appreciate that the Executive Order requires the DoD and critical infrastructure entities to take a close look at their capabilities. Although the military's role in defending critical infrastructure and industry is not always clear, what's clear to me is that in the event of a catastrophic cyber attack, our country will rely heavily on our military for protection, remediation, and ongoing deterrence.
How does this impact SMBs?
A major weakness of this Executive Order is that it is silent on SMBs. I encourage the Trump Administration to play an active role in supporting SMBs' CyberSecurity needs. This topic is worthy of its own Q&A, but let's just say that the Administration can have a very positive impact here if it decides to use its convening power to lead the broader SMB ecosystem to a set of practical solutions.
What is the impact on the Defense Industrial Base (DIB)?
The Executive Order calls for a capability assessment on the DoD and DIB with a particular emphasis on risks facing the DIB to include: supply chain, US military platforms systems networks and capabilities, and recommendations for mitigating those risks. There was a report due earlier this month (90 days post Executive Order) on those risks, and I think the DIB community can expect some stronger direction from the White House on how to address sophisticated threats to the military and DIB.
What do you hope to see as a result of this Executive Order?
I hope to see better government risk management practices that truly involve agency heads in key CyberSecurity decisions. CyberSecurity doesn't just happen the way that it should without engagement from the CEO and agency head level of organizations.
Additionally, the topic of workforce development was referenced in the Executive Order and I would like to see the eventual fruits of this labor. I am encouraged by this focus area as the government must commit some serious resources to close the 10,000 person CyberSecurity skills gap in government, the 1 million person gap across the nation, and the nearly 2 million person gap world-wide.
Based on this Executive Order, what can we expect from this Administration going forward regarding CyberSecurity?
I expect a robust CyberSecurity strategy with time that emphasizes the balance of offensive and defensive CyberSecurity and, most importantly, an emphasis on resilience. Attacks are inevitable, so we need to be able to ensure that as a country, we can operate in a degraded environment and can recover mission critical systems as quickly as possible. I have high hopes for this Administration's CyberSecurity plans. This is the best Executive Order this administration has published - it sets our government and nation on the right path and I look forward to continued progress.
To read the full Executive Order, click here.