President Donald Trump on May 11 signed the final draft of his executive order on cybersecurity, which places more power in the hands of agency secretaries and mandates a governmentwide adoption of NIST’s cyber framework.
The order also requires agencies to submit a risk management report to the secretary of Homeland Security and the director of the Office of Management and Budget within 90 days. Darron Makrokanis, vice president of Federal for Tenable Network Security, said the order’s time frames are a “bit aggressive,” but the emphasis on cybersecurity is a step in the right direction. Makrokanis will be speaking at Tenable’s GovProtect discussion on June 21, which MeriTalk is producing.
While he acknowledged the importance of a cyber push, Makrokanis said the funding allotted to agencies’ cybersecurity posture is incongruous with how much attention they really need. For example, one of Tenable’s prospective clients could not purchase the company’s cyber services because it received only one-tenth of its requested budget.
“If you’re going to put out an executive order that says ‘thou shall,’ you better put out money to back it up. Funding has got to follow,” Makrokanis said. “The government’s under tremendous pressure right now. I think we need to see things like the [Modernizing Government Technology] Act pass and we have to see funding.”
Tenable released a white paper on June 1 recognizing the two-year anniversary of the Office of Personnel Management data breach that exposed 21.5 million Federal employees’ information. The document states that agencies need to modernize because older operating systems may not be compatible with newer tools, making networks difficult to maintain.
Many agencies oversee the personally identifiable information of millions of citizens. Makrokanis said data stored all across government agencies, including OPM and the General Services Administration, needs to be treated with the same care as classified information held by the CIA and the National Security Administration.
“Think of all the data agencies hold. Employee data alone carries a tremendous amount of value,” Makrokanis said. “You need to treat that with a certain level of importance, as you would with classified information. It’s important that we treat all data as very important data. In the wrong hands, that could be extremely detrimental.”
The department of Homeland Security and the intelligence community used to employ a system of classification for different threat levels, Makrokanis said. For example, critical threats would be coded as red, and less severe ones would be yellow. Makrokanis said a similar system needs to be established across all Federal agencies.
Makrokanis said another solution is a standard outlining the oldest models of operating systems that can still be supported across the Federal government.
“The government has to get a baseline that says ‘No one will have operating systems that run slower than this,’ ” Makrokanis said. “The value proposition is lost on the end user because they’re worried about the fraction of infrastructure that’s not supported by our technology.”
Rep. Will Hurd, R-Texas, has called for the creation of a Cyber National Guard to defend against cyberattacks the way the Coast Guard monitors the coast. Makrokanis agreed, stating that a battalion of cyber defenders will serve alongside the nation’s armed forces in the future.
“We’ve always prided ourselves on military power,” Makrokanis said. “We need to take the same approach on our cyber posture. You never know where the next attack will come from.”
Join us at GovProtect17 on June 21 for a one-day, collaborative discussion on how agencies can gain actionable insight into the increasingly complex security risks facing a modern government. Click here to learn more.