cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AndreaMoore
Community Manager

Your Thoughts? Executive Order on Improving Cybersecurity

(ISC)2 Community,

 

What are your thoughts on the recently issued Executive Order on Improving the Nation’s Cybersecurity?

 

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improvin...

 

The order covers a lot of ground, including:

 

  • Removing Barriers to Sharing Threat Information
  • Modernizing Federal Government Cybersecurity
  • Enhancing Software Supply Chain Security
  • Establishing a Cyber Safety Review Board
  • Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Improving the Federal Government’s Investigative and Remediation Capabilities
  • National Security Systems

There is even a directive for the creation of “pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices…”

 

What are your thoughts? Are the right areas being addressed? How impactful do you feel these directives will be?




ISC2 Community Manager
9 Replies
Steve-Wilme
Advocate II

Aren't the largest breaches in the non government sector, still?  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
rslade
Influencer II

> AndreaMoore (Community Manager) posted a new topic in Industry News on

>   What are your thoughts on the recently issued Executive
> Order on Improving the Nation’s Cybersecurity?

Every incoming US president creates a security/information security/cybersecurity
panel. They get a bunch of CEOs, and a few people who know what they are
doing, and sit around for three years, and then produce a report. I assume that the
executive order is just speeding up the process by recycling the old reports, since
they are always the same.

>   Removing Barriers to Sharing Threat Information

One of the things that they always do is say that there should be more sharing of
information. This is always hailed by industry leaders, until they realize that what
the government means by "sharing" information is that you tell the government
everything, and the government tells you nothing.

> How impactful do
> you feel these directives will be?

At the end of this line there is a dot that is the size of the impact this order will
make

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
tmekelburg1
Community Champion


@rslade wrote:
Every incoming US president creates a security/information security/cybersecurity
panel. 

In this instance he really didn't have a choice with the pipeline incident. One of those damned if you do and damned if you don't type of situations. And you're right about information sharing with the U.S. Gov. on it typically being one way. Hopefully, this will at least help with information sharing within the U.S Gov. itself though.

 

I'm more pessimistic than optimistic on this actually helping prevent future incidents like with Colonial pipeline. I think the focus should be on the regulatory agencies overseeing Critical Infrastructure for actual change to happen.

JKWiniger
Community Champion

Let me know when they will pass GDPR for the US? Many places need the possibility of heavy fines in order to start getting their houses in order..

 

John-

Budoka
Contributor II

What @rslade said x2.

Steve-Wilme
Advocate II

There's already the CISP (Cyber Security Information Sharing Partnership) run by NCSC in the UK.  It's of some value, but even with the traffic light system in place many organisations are wary about sharing information about the incidents and near misses they've suffered.  The problem with if you show me yours I'll show you mine, is that hardly anyone want to make the first move to share info.  I usually wound up ringing the GovCERT UK duty handler instead.

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

Having spent 25 years in the US federal government I can tell you this. The best and brightest minds are not working there, especially since I left (HAHAHAHAHA!). The problem is that they cannot afford the best talent because of the archaic HR system and incompetent HR practitioners. And also archaic procurement rules. I switched multiple federal jobs due to HR incompetence. Why did I stay for so long you may ask? Simple. Job security. It was comfortable and reliable. I watched as coworkers sitting right beside me as contractors made 50K/year more than me for doing the same job, well without the fact that I had to approve their work. I saw plenty of lucrative positions that I didn't want to take the risk on since I had a young family. Now that they are almost grown and out of the house, I plan to make the jump and take more risks. I saw plenty of bright young talent leave after gaining a few years experience for more lucrative positions that we in the federal government couldn't match. You really want to fix US government cybersecurity? Pay more. Be able to fire the poor performers. In my 25 years of US federal service I saw plenty of incompetent workers able to keep their job because they were either protected by unions or there were plenty of old HR rules to make it nearly impossible to get rid of poor performers. 

 

Seems like there is always money available AFTER an incident than there was before. So you have to have a crisis to get better. Add in to that the disjointed nature of the myriad of government agencies, you see the same money being spent multiple times by different agencies to solve THE SAME PROBLEM!

 

And don't get me started on the antiquated technology being used.

 

Information sharing???? out of the 16 intelligence agencies, exactly 0 trust the other agencies with their gathered intelligence and only share sparingly or when forced to. No agency wants to be eliminated because another agency is doing the same job and gathering the same data. Plus they all want to feel special and unique.

 

They should have just hired me for a large salary and I could have fixed it all for them. But their budget is only so big, and HR says I haven't held "high" enough positions or their computer screened me out because I didn't check the right boxes or the HR practitioner doesn't understand what a CISO or CIO actually does and can't relate my experience to the position or I didn't put the exact right keywords in my resume, etc. etc.

 

JKWiniger
Community Champion

@CISOScott But wasn't Homeland Security created to stop the stove piping of information between agencies? ok, ok, when you stop laughing! I have been a member on Infragard for years and while they did share a little information back in the day any meaningful information has all but stopped. Now it's more reports and general alerts. I remember how disappointed I have been when I get alerts faster and with more information from the news than I do from Infragard. And I agree with everything you said. So much of the government is a gun culture that they have always been way behind in understanding IT and respecting those in it.

 

John-

Caute_cautim
Community Champion

Hi All

 

A year on, how is it going ?

 

https://www.darkreading.com/risk/needs-improvement-scoring-biden-s-cyber-executive-order

 

What do you think?  Is it having an impact?

 

Regards

 

Caute_Cautim