Step One of Our 12 Step Cyber Security Program:
Admitting We Have a Problem: RSAC Blog, Day One

By Phil Reitinger

As I sit on a plane-full of cyber security professionals winging our way toward RSA, I feel a surge of enthusiasm.  I’m ready to transition back from cyber security Cassandra to Pollyanna – the future is bright!  The reason?  It seems to me that the both the Trump Administration and the Obama Administration have come to the very same conclusion about cyber security.  They were and are ready to admit that we have been powerless over Information Technology (not just cyber security), and that our lives have therefore become unmanageable.  We have consensus that it is time to join “IT Anonymous.”  Moreover, the proposal from the Trump Administration to address our problem, at least as included in the draft cyber security executive order, makes considerable sense.

You may not recall the Obama Administration’s Cybersecurity National Action Plan, published just a few days over one year ago, which directed:

[Government] agencies will increase the availability of government-wide shared services for IT and cybersecurity, with the goal of taking each individual agency out of the business of building, owning, and operating their own IT when more efficient, effective, and secure options are available[.]

Yep, it was time to get most government agencies not only out of the cyber security business but out of the IT business entirely.  Governments’ IT-life had become unmanageable.

The draft executive order from the Trump Administration reaches the same conclusion, with even greater explanation, justification, and direction.  It says:

The executive branch has for too long accepted antiquated and difficult to defend IT and information systems.

and directs the Assistant to the President for Intragovernmental and Technology Initiatives to prepare a report on

The technical feasibility and cost effectiveness, with timelines and milestones, of transitioning all agencies to one or more consolidated network architectures … [and] to shared IT services, including email, cloud services, and cybersecurity services, and any legal, policy, or budgetary considerations to implementing that transition.

Hallelujah!  (Yes, I mean that.)  Perhaps the greatest problem in cyber security is security at scale, and transitioning the federal government to a more efficient model, with security embedded in shared-IT services that can be supplied by a common agency or outsourced to the private sector (with oversight) will increase the capability, effectiveness and agility of government IT and cyber security.

While we are on the Trump Administration draft executive order, I’m impressed.  The order gets the key issues and puts each on a path for action.  It implicitly identifies communications and electricity as infrastructures with the greatest potential for catastrophic and immediate damage.  Just as important, it identifies market transparency of risk management by critical infrastructure entities as a key approach for enhancing their security – that is, make sure the market knows what critical infrastructure is doing, so at least publicly traded companies can be rewarded (or not) for their efforts.  The approach isn’t that different from the Obama Administration’s May 2011 legislative proposal, “Our proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.”  More agreement.

Some have called the draft EO “bloatware” because it calls for 9 reports – I disagree.  I’m not a big fan of reports, and that is a lot of reports, but if each is a necessary preliminary step to build bureaucratic and political consensus for a new administration, prior to defining an action plan, I’m all in.

The author, Phil Reitinger, is the President and CEO of the Global Cyber AllianceYou can follow him on Twitter @CarpeDiemCyber.