The Cybersecurity Disappointment

[Jack Ring]

The anxiously awaited federal response to the nation’s cybersecurity threat was released May 11, 2017.

https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

Unfortunately:

1) The stated Purpose is to strengthen cybersecurity not to assure cybersecurity.

2) The stated Scope is Critical Infrastructure and National Security systems, not all federal, national, state and local systems.

3) The Method is based on the subjective perceptions of risk, not on system principles such as dynamic and integrity limits.

4) The mandated Process is the NIST version of risk management which focuses largely on risks from external, intentional sources but not on risks from internal, unintentional or purposeful sources.

5) The Order calls for Electricity disruption incident response but not incident prevention.

6) While acknowledging "The executive branch has for too long accepted antiquated and difficult–to-defend IT” the order enables continued acceptance of faulty vendor software by calling for  better management of "Known but unmitigated vulnerabilities” while not calling for selecting only vendors who offer drastic reduction of such.

7) The order introduces a unsubstantiated solution concept for "the Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats,” notably,"(aa)  one or more consolidated network architectures;" and "(bb)  shared IT services, including email, cloud, and cybersecurity services."

8) The order uses the term "IT architecture” to signify "the integration and implementation of IT within an agency” not the design concept of 'arrangement of function and feature that satisfies system objective.'

Recommendation: Systems practitioners, U.S. and world-wide, should strive to implement this current Order while vigorously encouraging development of a necessary, sufficient and efficient version.

Jack Ring