The Trump administration thinks federal agency heads should not pass the buck on cybersecurity to their CIOs or CISOs, according to a top cybersecurity official.
Speaking at Wednesday’s MeriTalk GovProtect17 conference in Washington, D.C., Rob Joyce, the White House’s cybersecurity coordinator, said that President Trump’s executive order on cybersecurity, issued May 11, will compel agencies to identify their cybersecurity risks and build defenses around them. Only by identifying and acknowledging risks can proper cybersecurity defenses be mounted, Joyce said, adding that agency heads can no longer pass off responsibility for cybersecurity to their subordinates.
The executive order is focused “on the critical aspects of the way cyber is underpinning the national security, the economic well-being and the health of the nation,” Joyce said. It is organized around four major pillars:
- Federal cybersecurity
- Protecting critical infrastructure
- The international norms, deterrence and relationships needed for a healthy cybersecurity ecosystem
- Developing a stronger federal cybersecurity workforce.
A Risk-Based Approach to Cybersecurity
The order represents a sea change in the government’s approach to cybersecurity, Joyce contended.
“We are now going to treat federal networks as an architecture. We are going to look at them holistically,” he said. “Now, that doesn’t mean one big federal government network. What that really means is, we are going to consider all of the components because they have interplay.”
Thinking about federal networks as an architecture requires a greater focus on risk, Joyce said. Under the order, agency heads will be held accountable by Trump “for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”
Within 90 days, each agency head is required to provide a risk management report to Secretary of Homeland Security John Kelly and Mick Mulvaney, director of the Office of Management and Budget. The reports will “document the risk mitigation and acceptance choices made by each agency head” as of May 11, including the strategic, operational, and budgetary considerations that informed those choices, and any accepted risk, including from unmitigated vulnerabilities. It will also describe the agency's action plan to implement the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology.
When thinking about how to defend federal networks, commercial networks or critical infrastructure, Joyce said, “you can’t defend things that you don’t know.”
“To understand the risk, the first element of that is, you want to understand the components of that network,” he said.
The order pushes agencies to take stock of their networks and IT environments and report the risks they have accepted.
Updating Old Software and Networks Is Critical
If an agency is running Microsoft’s Windows XP — which Microsoft stopped providing regular, free security patches for in April 2014 — and they have budgeted to get that software upgraded and removed, they are accepting a risk while it persists, Joyce said.
“So now the question is, does the leadership know that they’ve accepted that risk?” he said. “Because the leadership has to provide resources, funding and make those decisions that you are going to upgrade and refresh. But if they don’t know they’ve accepted a risk, how can they decide what their priorities need to be?”
The executive order seeks to “uncover those areas where we have taken risk,” which is often a “really nuanced discussion,” Joyce said. An agency might not be investing its resources in updating its outdated systems, he said. On the other hand, that Windows XP system might perform a mission-critical process, and might also be embedded in a much bigger system that is no longer supported and will never be upgraded.
“You can’t make a blanket rule that says, ‘I’m going to get rid of all XP,” Joyce said. “It may be, in that case, you’ve got to get controls around it to protect it. But the first aspect is understanding that it’s in there and knowing that you have accepted that risk. And then you can do things to buy down that risk if you understand it’s in there.”
Agency heads cannot pass responsibility for those decisions off to CIOs and CISOs and IT staff, Joyce said.
“It really is the leadership” that is in a position to act.
“In companies, cyber can be an existential threat. In federal networks, we operate them on behalf of the American people,” Joyce said. “So the idea that we are protecting Americans’ data, Americans’ information, has to be at the forefront.”
The Office of Personnel Management breaches in 2015, in which the personal information of 22.1 million current, former and potential federal employees (and their friends, neighbors and family members) was stolen, was a major issue for the government, Joyce said. Joyce asked the audience to consider what would happen if the Social Security Administration or the IRS had that same kind of breach. “So that’s what I mean when I say we operate these networks on behalf of the American people,” he said.
That is why the administration is pushing agencies to modernize their networks and adopt shared services and the cloud. “We can’t support antiquated, unsupported government networks,” he said.