This month has seen two important events for global cyber security – the updating of the United States government’s cyber security strategy and a detailed briefing on cyber threats from the US intelligence services.
The executive order signed by Donald Trump gives individual heads of government agencies the final responsibility for their organisation’s cyber security. Putting one named person in charge, and putting security at the centre of all decision making is a lesson many businesses have learnt the hard way.
The order asks agencies to ensure they are following security standards set by the National Institute of Standards and Technology. The order notes that one of the biggest threats is not from zero day attacks but from problems which have been identified but have not been fixed.
“Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.”
Agencies must provide a management report within three months which outlines potential risks and what plans are in place to reduce them.
The order also calls on agencies to implement shared services for cloud, cybersecurity, email in order to improve security. It wants agencies to consider how feasible it would be to move to one or more consolidated network architecture. Moving to a single platform can improve security but it seems unlikely that it will be possible across the whole of the US government. It is interesting that cloud services which were once seen as a security threat are now identified as a way to improve security and resilience.
Putting all 190 agencies on a single platform will be impossible but any business would aim to reduce the number of disparate systems it was trying to secure.
Finding best practise and using it across an organisation is a good way to cut expenditure while still reducing the risk.
The order also calls for specific action to reduce the risk from botnets and other automated, distributed attacks. It also wants better information sharing and co-operation on cyber attacks between agencies and with international partners. It also calls for faster investigation and attribution of attacks when they happen.
Going beyond just defence the order also calls for ideas to improve strategy to deter attackers and ways to better protect the public as a whole.
The need for the order was reinforced by Daniel Coats, the director of national intelligence, who gave a public briefing to Senate Select Committee on Intelligence on the key threats he sees for US business and government agencies. Coats said the ‘cyber threat’ was posing an increasing risk to infrastructure because of increasing reliance on automated systems which could be vulnerable to cyber attack. This increases the chances of cyber attacks having real world effects, not just stopping or slowing of online services.
As well as the actual impact of attacks Coats also warned of the associated risks of reducing public trust at the same time as increasing costs for business. Russia, Iran, North Korea and China were named as the most active attackers of US systems.
Coats also warned from new threats from Internet of Things projects which are not properly secured.