Experts debate effects of government cybersecurity executive order

The new presidential administration drafted a cybersecurity executive order for government agencies to perform extensive 60-day audits of systems, but experts are unsure how effective such a plan could be.

The leaked draft of the cybersecurity executive order, titled "Strengthening U.S. Cyber Security and Capabilities," is similar in scope to an executive order enacted by former President Barack Obama shortly after taking office for his second term. Both the recent draft and Obama's order focused on government cybersecurity assessments that would inform future plans of action.

The leaked draft of President Donald Trump's executive order called for government cybersecurity audits that would take place over 60- or 100-day periods and aim to identify of areas of improvement, or areas where specific legislation would be needed.

Sean Spicer, press secretary for the White House, said in a press briefing held on Tuesday that the cybersecurity executive order was intended to "secure the federal networks we operate on behalf of the American people, work with industry to protect critical infrastructure and maintain our way of life, and advance the cause of internet freedom."

The executive order, first announced last week, has been delayed, as Trump reportedly planned to meet with cybersecurity experts. Meanwhile, experts have suggestions on whether such an audit could be effective for government cybersecurity, or if Trump may want to take a different approach.

Carson Sweet, CTO and co-founder of San Francisco-based CloudPassage, said a 60-day time frame for the audits would not be feasible "if they want the audit to be accurate and practically useful."

"It's a reactive move; you see this when an administration is trying to posture or prove a point. But more concerning is what happens when the audit comes back with a three-year backlog of problems. If the administration takes a reactive posture on trying to fix the problems found, it will be a fire drill on a massive scale, which is rarely helpful," Sweet told SearchSecurity. "Fixing the underlying structural and operational problems that allow these vulnerabilities to linger in the first place might be a better use of resources."

John Chirhart, federal technical director for Tenable Network Security, based in Columbia, Md., said it might be possible to do an audit of government cybersecurity systems in the time allotted, but focusing solely on government agencies could overlook issues with government contractors, like those that led to the stolen credentials used in the Office of Personnel Management breach.

"The [Department of Defense, or DOD] is working toward making this a reality with the move toward the risk management framework (RMF). The RMF will help shorten the time needed to conduct such readiness assessments. Unfortunately, adoption has been slow," Chirhart told SearchSecurity via email. "Another risk factor not likely taken into account by the rumored executive order includes the countless companies that work for the DOD. They often contain sensitive data, such as research and design documents. Until recently with the release of the NIST 800-171, these companies were largely ignored in terms of proving cyber-readiness. The executive order should include coverage to any company doing business with the DOD."

John Bambenek, threat systems manager for Fidelis Cybersecurity, based in Bethesda, Md., said meeting with cybersecurity experts could be valuable, and it was "one of the good things President Obama did" before signing his cybersecurity executive order.

"The communication with this executive order and others so far has been lacking. I would hope the revisions will entail more focus on what can be done to actually accomplish solving many of the problems that have been talked about for years, but no real progress has been made," Bambenek told SearchSecurity. "Additionally, [there should be] a focus on enhancing international cooperation, so we can greatly expand our ability to put criminal actors in prison. Currently, criminals can act with near impunity as long as they don't victimize people in their own country. The key to stopping the rapid expanse of cybercrime is for nations to work together on at least the criminal side of the equation."

Chirhart said an audit is "a great way to measure where you are," but would be pointless unless "funding and mandates to fix what is found are included as part of the executive order."

"At its core, the most basic way to measure your effectiveness is to measure the date of vulnerability detection to the date of mitigation. If that number is moving to the right, you are losing the battle. If that number is staying about the same, you are at least treading water. And if it's moving to the left, you're doing the right things," Chirhart said. "But, at the end of the day, to move the mark to the left, you need the resources, tools, processes, funding and political support to make time for mitigation."