Here are three takeaways for your business from the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure signed on May 11, 2017.
1. Incorporate the NIST Cybersecurity Framework into your business.
The Executive Order requires federal agencies to use the well-established NIST Cybersecurity Framework to fulfill their mission to protect federal networks and critical infrastructure and to appropriately plan for and procure cybersecurity training, products, and services for the future.
As background, the Framework was first published in Feb. 2014. It uses business drivers (e.g., achieving business results, increasing cost effectiveness, reducing enterprise risk) to guide cybersecurity activities and it considers cybersecurity risk as part of an organization’s overall risk management process.
It also explains cybersecurity in simple terms that business people without IT backgrounds can easily comprehend in order to facilitate discussions about core principles in cybersecurity, the concrete steps an organization can take to move from where you are in terms of cybersecurity to where you want to be, and how to make a boardroom business case for procuring cybersecurity training, products, and services.
Because it is a framework, it is easily scalable from small and medium sized companies to large organizations and government agencies. Even before the Executive Order was issued, it was estimated that 50% of all U.S. organizations would be using the Framework by 2020.
The Framework will help your business identify the gaps in your cybersecurity and help you determine where to spend your finite resources to best bolster your cybersecurity defenses. For example, it will help you make a business case that instead of spending a half-million dollars on reports about the latest malware out of eastern Europe (at an executive’s suggestion), a tenth of that amount would be better spent on employee training to prevent HR from accidentally releasing employee W-2 information to criminals or to prevent employees from clicking on word attachments in emails that introduce malware into your system.
An important point here is that the Framework is undergoing revision as Draft Version 1.1 was published for comment on Jan. 10, 2017. The updated draft Framework, among other things, adds a new section on measuring cybersecurity and expands the discussion on how the Framework can be used to measure cyber supply chain risk. NIST has published comments and its responses to those comments to date, and is still accepting additional comments through June 13, 2017.
2. Incorporate security by design into the internet of things-enabled devices you manufacture.
The Executive Order identifies several industries that are considered our Nation’s “critical infrastructure,” meaning systems and assets, whether physical or virtual, that are so vital to the U.S. that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
The Executive Order requires, among other things, that the Departments of Homeland Security and Commerce examine the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure. It also requires:
– an open, interoperable, reliable, and secure internet for innovation, communication, and economic prosperity, with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets);
– an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident, the readiness of the United States to manage the consequences of such an incident, and any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident; and
– an assessment of cybersecurity risks facing the defense industrial based, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks.
Additionally, it holds agencies heads accountable for managing cybersecurity risks to their enterprises. We addressed this topic previously on the Office of Inspector General’s security audit of NASA’s cloud computing services here.
So your business should not only be focused on preventing incoming cyberattacks, but it should also be focused on incorporating security by design to prevent your internet of things-enabled devices from being compromised and used as botnets in distributed denial of service (“DDOS”) attacks. These attacks occur where multiple compromised devices are used to target a particular website portal or system causing a denial of service. Security by design means incorporating security into the design process from the beginning to make the devices impervious to attack rather than trying to make the devices secure as an afterthought.
3. Incorporate cybersecurity into your business’s core values.
The Executive Order requires cybersecurity for our Nation’s future and that we put resources in place to guarantee the United States’ cybersecurity edge into the future. It requires agency heads to outline strategic options for deterring adversaries and better protecting of the American people from cyber threats. It requires that the U.S. work with its allies and other partners to ensure a globally secure and resilient internet, including international cybersecurity priorities, for investigations, attribution, cyber threat information sharing, response, capacity building, and cooperation.
It also requires workforce development, requiring an assessment of the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related curriculum, training, and apprenticeship programs from primary through higher education, with growth and sustainment in both the public and private sectors.
The takeaway here is that incorporating cybersecurity into your business’s core values can be used as a differentiator to separate your business from the pack and make it more successful in the long run.