The U.S. State Department, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Management and Budget (OMB) last week issued a series of reports tied to an executive order President Trump released a year ago to fortify federal networks and critical infrastructure.
Trump’s May, 2017 Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made it clear that the heads of executive departments and agencies will roll if they fail to blunt the cybersecurity risk to their enterprises. The subsequent agency reports conveniently appeared only a few days ahead of the June 4 election, with the November midterms an expected target of cybersecurity attackers.
'Make Them Pay' Strategy
The State Department’s Recommendations to the President on Deterring Adversaries and Better Protecting the American People From Cyber Threats said that hitting the wallet of foreign countries “responsible for significant malicious cyber activities aimed at harming U.S. national interests” is the best deterrence. The State Department’s “make them pay” strategy includes:
- Developing a range of consequences: A “menu of options for swift, costly, and transparent consequences.”
- Policy planning: Inter-agency policy planning for the time periods leading up to, during, and after laying on the consequences.
- Building partnerships: Consequences are best carried out in concert with like-minded partners.
The State Department’s deterrence strategy is not without its detractors. Ruchika Mishra, director of product marketing for IT security specialist Balbix, called it a “post attack reaction.” Rethinking cybersecurity and protecting IT assets “requires much more emphasis on proactively predicting and controlling your breach risk and focusing on strategies and approaches to avoid breaches as a first step, rather than focusing on developing and imposing consequences after the fact,” she said.
A second State Department report, Recommendations to the President on Protecting American Cyber Interests Through International Engagement, details a strategy to strengthen collaboration with foreign partners and allies to address shared threats in cyberspace.
Defending Against Botnets
Meanwhile, the Commerce Department and DHS released a report on strengthening the resilience of the Internet and communications ecosystem attacked by botnets located mostly outside the U.S. The report, entitled Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, said that while the “tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available,” they are not part of “common practices for product development and deployment” in many sectors.
Both Commerce and DHS also published a report on the U.S. cybersecurity workforce, concluding that while there are nearly 300,000 open jobs for cybersecurity professionals in the U.S., with demand expected to reach 1.8 million slots in four years, the feds’ cybersecurity pay is well below bar to attract talent. The report also said that minorities and women are underrepresented among those working in cybersecurity and veterans are an untapped source of workers.
And, the OMB published the Federal Cybersecurity Risk Determination Report and Action Plan, a high-level assessment of government cybersecurity risks and recommendations to improve federal cybersecurity. OMB and federal agencies must collaborate to address government-wide cybersecurity gaps and identify unmet budgetary needs, the report said. OMB and DHS also determined that 71 of 96 agencies participating in the risk assessment have cybersecurity programs that are either at risk or high risk. OMB and DHS additionally found that federal agencies don’t know how threat actors seek to gain access to their information.