A new presidential order aims to strengthen cybersecurity at the federal level. With this comes cloud migration, IT acquisition and improved digital services to citizens. We take a look at what all this means for the nation’s cyber defenses.
Cybersecurity and Critical Infrastructure with Centralized Risk in the Cloud
We are at (cyber) war. With the proliferation of cyber attacks increasing daily, many say it’s time to call in the reinforcements. The latest global-cyber news event occurred only a few weeks ago – referred to as WannaCry ransomware – and apparently, this is only the first wave. There were eight high profile attacks in 2016. For the month of April 2017, for example, there were more than 40 major events and the rate and impact of which is only increasing – but now, perhaps, help is on its way.
On the home front, the presidential executive order on strengthening cybersecurity was signed on May 11 in an effort to move cyber risk and decision making up the chain of command. Agencies will no longer fend for themselves in patching vulnerabilities and supporting ad-hoc architectures because cyber risk will be consolidated at a government-wide level and hold senior leaders accountable. With this, federal IT spending will increase. Cloud migration, cybersecurity, IT acquisition and digital services to citizens are imperatives for the government. These investments aim to improve cybersecurity, boost investments in data analytics and generate cost efficiencies.
The executive order is meant to be a first step in showing how serious the country in prioritizing modernizing the outdated infrastructure – this is indicated in the three pillars of the order: Cybersecurity of Federal Networks; Cybersecurity of Critical Infrastructure; and Cybersecurity for the Nation. The stars seem to have aligned and continue from years of efforts to take the infrastructure to a whole new level towards policy, standards and technological advancement given the urgency towards response and funding to make this a reality.
The executive order focuses efforts on the costs and business possibilities, data center consolidation and moving to the cloud as a means to rebuild fragmented and uneven efforts across platforms and systems and many are looking towards the Department of Defense (DoD) to take the lead.
The executive order was built on the premise of the congressional “Modernization Government Technology (MGT) Act,” which was first introduced in September 2016, but was stalled out until recently. This recent revision of the act was a combination of the Modernizing Outdated and Vulnerable Equipment and Information Technology Act of 2016 (MOVE IT) and the IT Modernization Fund. With the revised MGT Act of 2017 and in alignment with the executive order, the GSA is getting $228 billion set aside for IT modernization.
How can this current administration break from “business as usual” due to the bureaucratic slow motion and get real with implementing meaningful cybersecurity efforts as soon as possible?
The solutions, best practices, and the means now exist. Much of the efforts towards the creation of the executive order can be found and are based on the recent (May 2017) National Institute of Standards and Technology (NIST) Interagency Report 8170, Framework for Improving Critical Infrastructure Cybersecurity, and Interagency Report 8179, The Cybersecurity Framework: Implementation Guidance for Federal Agencies.
The proposed Cybersecurity Framework revises 2014 standards and now addresses the current needs of industry while meeting federal technical standards. The Implementation Guidance identifies eight ways the framework can help agencies address common cyber responsibilities:
- Integrate enterprise and cybersecurity risk management
- Manage cybersecurity requirements
- Integrate and align cybersecurity and acquisition processes
- Evaluate organizational cybersecurity
- Manage the cybersecurity program
- Maintain a comprehensive understanding of cybersecurity risk
- Report cybersecurity risks
- Inform the tailoring process
As for the improvements in cyber responsiveness, funding has now been increased for the National Cyber Security and Integration Center. The government will have to make cuts in other programs to pay for this new priority. Currently, personnel are being reduced in the majority of 24 federal agencies with the exception of the Homeland Security Department which is undergoing a hiring frenzy for 8,000 new full time equivalents – what’s otherwise known as the zero-sum gain approach.
The results of the new executive order are yet to be seen but the federal ROI will be realized by adopting and moving toward shared and cloud services models including cyber for increased agility and reduced costs but what is lacking are incentives. There is a need for collaboration, platform approaches, open standards, integration and sharing between government and industry. One red flag is the funding reduction for NIST, which is sometimes viewed as counterproductive, but only time will tell. As many already know, just follow the money.
For more of the latest in data center news, make sure to follow the Instor blog. To learn how Instor can help strengthen your data center’s security, visit our Data Center Security Design and Installation page here.