On May 11, 2017, President Trump issued Executive Order 13800, ‘Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure’ (EO 13800). The Trump administration promised to deliver a cyber policy within 90 days of inauguration. Not only did EO 13800 arrive late in the game but also no action has yet been taken beyond planning.
Obstacle-ridden implementation of national cybersecurity no easy feat
Agency prioritization of resources, an aging infrastructure, and a need for speedy procurement are just some of the obstacles that the administration faces in its Federal IT modernization initiative. Sadly, cybersecurity is not one of the White House’s strong suits. In a statement at the ASU Cybersecurity Conference, Senator John McCain said, “Unfortunately, leadership from the executive branch on cybersecurity has been weak. As America’s enemies seized the initiative in cyberspace, the last administration offered no serious cyber deterrence policy and strategy.” Currently, not all EO 13800 deadlines have been met.
Internal strife and concerns within the Trump administration threaten to weaken cybersecurity efforts. For example, a number of members of the National Infrastructure Advisory Council (NIAC) resigned in the last week of August, creating a staffing shortage.
Council members asserted that some of President Trump’s actions – or failures to take action – threaten homeland security. Among other issues, the resignation letter of those NIAC members raises a red flag on cybersecurity: “You have given insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process.”
Some tangible progress is being made, as agencies and departments report to the White House and put what they can in action regarding EO 13800. The American Technology Council and Office of Innovation drafted and submitted its Report to the President on Federal IT Modernization on August 30, 2017. The report details the vision for a more modern and secure federal IT system, and recommends how to achieve it. It also outlines a process to get federal IT up to speed to leverage US innovation.
Several states taking proactive steps to cybersecurity
State and local governments store large amounts of sensitive data, including Social Security numbers, healthcare records, and tax and finance information. For this reason, state databases have become favored targets of cyber crime.
Cyber attacks have devastating consequences, as witnessed by the destabilizing and NotPetya ransomware outbreaks – two of the biggest attacks to date. The private information of 143 million people was exposed in the Equifax data breach that took place between mid-May through July. Hackers stole the credit card numbers of 203,000 people and dispute documents containing the personal information of182,000 people.
With timing so critical, and no set policy and strategy in sight, several states have implemented their own cybersecurity measures.
The New York State Department of Financial Services (NYDFS) was the nation’s first to implement a cybersecurity regulation affecting all banking, financial services, and insurance companies under its jurisdiction. Taking effect on March 1, affected institutions were required to achieve compliance by August 28, 2017.
Named 23 NYCRR 500, the first of-its-kind cybersecurity policy aims to protect customer information and IT systems used by regulated entities. In a news release announcing the compliance date, financial services superintendent Maria T. Vullo stated: “With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place[,] in order to protect data and information systems.”
Cybersecurity cannot wait for the next attack
The US is experiencing a critical window while the Trump administration transitions from analysis and planning to actual implementation. Meanwhile, an increasing number of states are taking steps towards improved cybersecurity, which raises standardization and uniformity issues. Each day that goes by without addressing EO 13800 is another day that the nation is left vulnerable to cyber attacks.
Are you among the many organizations that must comply with state cybersecurity regulations?
ISO 27001 provides a framework for a strong information security management system (ISMS) and to help your organization comply with laws and regulations. Learn how to implement the internationally recognized ISO 27001 standard. Find out more about our ISO 27001 classroom and Live Online training courses >>