Last weekend’s global cyber-attack shocked a lot of us due to its size, scope and impact. As news broke of the attack around the globe, each story was more concerning and raises the question: what is the US doing about cyber security?
Recently, an Executive Order was signed that continues the US government’s efforts to secure our cyber environment. The Order requires significant information gathering and reporting back to Homeland Security. These reports will be used in developing a more robust defense framework for the US.
The first requirement is for federal agencies to perform a cyber-risk assessment using the NIST standards. The results of this risk assessment will help identify current state of cyber readiness as well as potential exposures. The cost associated with improving and remediating any exposures will be quantified and reported.
There are several interesting components to the information gathering and reports in addition to the risk assessment. Agencies are required to consider and evaluate how to best share information on cyber risks and defense. Currently, there isn’t a consistent mechanism for sharing of solutions and results across agencies. Use of protected cloud based resources for this sharing and for increased reliance on private industry thought leadership are also being evaluated.
One of the most significant issues in cyber today is a lack of trained personnel. The Order requires the evaluation and reporting on the current training and education environment to develop these resources.
All of the reports and assessments are due within 90-120 days. These reports should provide a good basis for which the country can further develop cyber resiliency. While our day to day activities are not currently impacted by this approach, it’s not hard to imagine that once the policies are developed, they will be quickly adopted by Federal agencies. Given the interconnected nature of our government, I would imagine the federal agencies will require these same policies for state and local governments who regularly interact with the federal government.
Right now, there is no action to be taken outside the required reports. It will be interesting to see how this information gathering process influences cyber policy in the US in the near future.
For weekly insights into cybersecurity, please sign up here: