Don Maclean is the chief cybersecurity technologist for DLT Solutions.
As cyber breaches and threats dominate the headlines, the Trump administration’s cybersecurity executive order seeks to strengthen the security and infrastructure of federal agencies. However, there are missing elements that could play a critical role in improving our nation’s cyber resiliency. What could boost the order’s effectiveness? Here are three thoughts:
Require Independent Risk Assessments
The order rightly calls for an assessment of incident response capabilities by looking at the potential scope and duration of an attack, agency readiness to respond, and gaps exposing the government to risk. However, it also allows agencies to coordinate their own reviews and select contractors for evaluation. With an eye on maintaining a strong relationship with the agency, contractors tend to provide lenient evaluations that may not accurately represent the agency’s security posture. Instead, a centralized agency such as the Department of Homeland Security should coordinate and contract assessments to ensure the independence and objectivity of reviews.
Risk scoring methods may also require change. Many evaluations use numeric scores for confidentiality, integrity and availability. Numeric scoring creates a false sense of objectivity and precision and can mask the subjective nature of an evaluation. Qualitative methods of reporting risk clarify the reasoning and justification for assessment decisions.
Simplify Documentation Requirements
The order’s requirement to use the NIST Cybersecurity Framework in lieu of NIST 800-53 Rev. 4 essentially duplicates work, resulting in additional paperwork and compliance with overlapping initiatives.
Compliance documentation reports consume time and resources that would be better spent on tangible prevention and response. Compliance involves interviews, tests procedures and review of policies and other documentation, none of which contribute directly to remediation of vulnerability or preventing an attack. An assessor might need hours to observe, test and document a vulnerability that needs only a few minutes to mitigate. Allowing agencies to prioritize fixing problems over documenting them would result in more effective security. Though elements of compliance and documentation are necessary to implement and maintain a tighter security posture, they should be lower priorities than remediation.
Provide Incentives to Increase the Federal Cybersecurity Workforce
Recognizing the need for cybersecurity expertise, the order addresses enhancement and development of a trained cyber workforce. However, the order emphasizes assessment of the workforce situation over actual hiring.
Cyber expertise is critical, so agencies need to create incentives to acquire necessary talent. Higher salaries and better benefits would help, but such measures are difficult to implement within strict constraints of federal compensation practices. Federal contractors, however, have more latitude and are a significant presence in the security workforce of many agencies. Including financial rewards in contracts is a feasible way to reward excellence.
Moreover, financial benefits are not the only incentives for federal cybersecurity employees. Many work with government because they value the role they play in protecting our nation. Maintaining a positive conversation focused on winning the cyber war, rather than presenting an overwhelming and unmanageable task, would help to build and motivate the cyber workforce.
The order acknowledges areas where federal agencies need to spend more time and effort to improve security. The order would be better, however, if it mandated independent security assessments, reduced paperwork requirements in favor of deploying solutions, and provided financial rewards for direct hires and contractors who perform superbly.