Reviewing President Biden’s Cybersecurity Executive Order (EO)
Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
I will commend the Administration for the recent (May 13, 2021) Executive Order aimed at promoting immediate improvements in cybersecurity within government sector and private sector. At the same time, there are areas that need more attention. I will focus here on three: the need for a long-term view of cybersecurity; the need to strengthen the security training of front-line combatants; and the need to improve the resiliency of private and public networks and systems. These concepts seem to have gotten little attention in this EO.
Incremental vs. immediate steps
The long-term view is essential for improving cybersecurity defenses. As such, I completely disagree with the EO statement: “Incremental improvements will not give us the security we need; instead, the Federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life”. Every security professional knows that continuous improvement is the only way to build an effective cybersecurity program. Short term EO’s will have limited effect, unless follow up with sustained efforts. This is the challenge of managing cybersecurity within a 2- or 4-year political cycle.
One of the best and most successful cybersecurity standards developed by the Federal government is the NIST Cybersecurity Framework, CSF, a standard that has been adopted by many private and public organizations. NIST is the Federal government body responsible for developing all Federal cybersecurity standards. The CSF highlights the use of tiers or competency levels for any organization’s cybersecurity defenses. Although the recent cybersecurity EO was created in response to the “Solar Winds” breach, ironically its release is coincident with the Colonial Pipeline breach. President Trump had introduced 9 EO’s pertaining to cybersecurity of “Critical Infrastructure” but this did not prevent the Solar Winds or Colonial Pipeline hacks. Maybe nothing would have. Hopefully, the many Biden EO initiatives will be followed by continuous improvement activities.
Who can do the work?
The EO contains 46 deadlines ranging from 14 days to one year. One question to be asked is: who is going to do all this work? Will other security work be dropped in favor of EO tasks? The challenge is that we have too few trained workers within government and private sector. New hires will not fill this void; the answer is retraining the existing workforce in cyber-defense principles and practices. This can be done and is done within the educational programs offered at universities around the country. A master’s degree program can be an effective onramp for individuals to fill critical cybersecurity job needs. The government’s www.cyberseek.org analysis lists 144,700 job openings last year for “Information Security Analysts” and 319,720 other job openings requesting cybersecurity related skills.
The EO did include the recommendation for more training related to FedRamp, the Federal cloud security standard. Other areas where training is sorely needed are included within the EO’s recommendation to adopt “Zero Trust Architecture”. Zero Trust is now a catch all for a subset of 2021 security best practices. While cybersecurity leadership is important, it is well-educated and trained practitioners in the trenches who will be executing the security controls. In cybersecurity, execution effectiveness is everything; the principals are broadly known.
Indeed.com tracks jobs of all types of jobs and reports the following salary information (national averages) for common cybersecurity roles. The challenge is that many of these roles did not exist 10 years ago.
Job Type and Salary
|Job Type||Average Salary|
|Information Security Analyst||$94,422|
|Network Security Engineer||$109,281|
|Senior Security Consultant||$129,251|
|Chief Information Officer||$129,299|
|Application Security Engineer||$130,809|
|Director of Information Security||$188,708|
Importance of System Resilience
A glaring omission in the EO is the failure to include concepts of systems resilience as an objective. Resiliency is a concept that has been promoted by NIST, the government standards setting body. Resiliency focuses on the “availability” side of the cybersecurity triad of confidentiality, integrity, and availability. It is a descendent of redundancy, the capability to operate with one critical component out of operation. Government security originally started with secret communications or confidentiality. Today’s cybersecurity landscape has more pitfalls with the other two components. For integrity think election security; for availability think any ransomware attack.
Resiliency is the capability to operate under any mode of attack from small incident to full on cyber attack or natural disaster. Systems must be engineered to be resilient; they do not automatically get there. NIST publications 800-160 volume 1 and volume 2 cover the details of how to engineer resilient systems. The recent Solarium Commission highlighted “National Resilience” as a priority. A popular security conference, RSA, has as its theme this year “Resilience”. It is virtually impossible to stop 100% of all cybersecurity events. Resiliency enables systems to keep operating anyway. The recent Colonial Pipeline incident shows the cascading impact of systems were not resilient.
My hope is that enough Federal cybersecurity initiatives will survive the two- and four-year election cycle. This will enable the continuous improvement needed to implement effective security controls. At the same time, broad based worker retraining in cybersecurity is essential to carry this out. As NIST has said: “Cybersecurity is Everyone’s Responsibility”, not the responsibility of a small cadre of experts. Finally, we need to actively pursue the concept of cyber resiliency, to enable systems to keep working with minimal damage from attackers.
Security continues to be a top priority to protect all aspects of government, business and personal information. As the field continues to expand, cybersecurity professionals will be called on to secure vulnerabilities. To become a valuable player in this industry, earn your MS in Cybersecurity degree from Quinnipiac University.