Upcoming cybersecurity executive order leaves RSAC experts optimistic
Experts at RSAC 2017 discussed the upcoming cybersecurity executive order from the new presidential administration and how the NIST Framework strengthens the plan.
SAN FRANCISCO -- Members of the CSIS Cyber Policy Task Force discussed the cybersecurity executive order expected from the new presidential administration and how the NIST Cybersecurity Framework is integral to those plans.
Karen Evans, co-chair and head of the East Coast team for the CSIS Cyber Policy Task Force and national director for the U.S. Cyber Challenge, said the task force at the Center for Strategic and International Studies (CSIS) worked with the transition team and the current administration on issues that should be covered in the upcoming cybersecurity executive order from President Donald Trump.
"One of the big focuses that I hope the administration will go for is looking at how the federal government is dealing with your information. There are specific things dealing with cloud and shared services and how to implement services in the cloud in a secure way," Evans said. "There is a lot pushing toward that direction and using those technologies for security purposes -- to reduce risk -- not necessarily for cost efficiencies or cost savings."
Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto Networks Inc., based in Santa Clara, Calif., said he expects the draft cybersecurity executive order to build on work done as far back as the administration of former President George W. Bush.
"My understanding is there continue to be discussions around the margins to make sure there is direct alignment with the evolution of policy in the last 10 years. But by [and] large, what you've seen from that draft [cybersecurity executive order] is a continuity of bipartisan and nonpartisan approach to cybersecurity," Gillis said. "I take it overall as a positive step that this draft executive order doesn't come in whole cloth and change everything that we have been working on for the last 10 years. It actually builds upon and strengthens some of those efforts by holding agencies accountable for securing their own networks, holding the [Office of Management and Budget] and [Department of Homeland Security] accountable for their various roles and responsibilities in a cross-agency way and building upon the public-private collaboration."
Evans also noted a big part of the task force's cybersecurity executive order recommendation was to use the NIST Framework as the basis for security discussions across both the public and private sectors.
Bobbie Stempfley, director of cyberstrategy implementation for MITRE Corp., said the NIST Framework was important to provide structure to recommended cybersecurity actions.
"One of the important actions that was needed was, how do we do a better job aligning security needs with IT needs with business needs inside an organization so they can make effective decisions about what was the right thing to do," Stempfley said. "The idea of the NIST Framework was to really build that frame, so organizations could start to make effective decisions about their business, their security and the technology that they use to execute that business. The hope certainly is that this framework will provide a common lexicon for us to communicate as an industry about decision-making in this space."
Gillis said the NIST Framework was designed to be flexible, while building upon work that was done in the public and private sectors.
"The process through which the NIST Framework was developed was not the government telling industry what to do. It was the government bringing together all sectors of industry to say: What are your best practices?" Gillis said. "The risk-management approach that was decided upon was: identify, protect, detect, respond, recover. Those are things that can be understood by CEOs, by C-suites, by corporate boards and by agency heads that are risk-management-focused that need to identify ... what matters most, what are the crown jewels."
Sameer Bhalotra, co-chair and head of the West Coast team for the CSIS Cyber Policy Task Force and former senior director for White House cybersecurity under former President Barack Obama, said the new administration may face less resistance when pushing the NIST Framework in this way.
"I worked in the White House during the Obama administration, and one thing that held us back from pushing this framework was a lot of private companies thought this was a step toward regulation -- these voluntary frameworks will become mandatory standards -- and they didn't want that," Bhalotra said. "I think, under the new administration, there is a lot less concern that Congress, in the near term, is going to pass new regulatory requirements. So, with that concern behind us, I think the NIST Framework can really blossom and become that single vocabulary we've always been looking for to manage this as a nationwide project."