Has cybersecurity been overstudied by the U.S. federal government and its stakeholders?
Melissa Hathaway, who served presidents George W .Bush and Barack Obama as a top cybersecurity adviser, points out that over the past decade, more than 100 recommendations on improving the cybersecurity of government and the private sector have come from Congress, presidential studies and private-sector think tanks (see Obama's Cyber Review Leader on What's Ahead for Trump).
"This will require every agency to dedicate precious and shrinking resources - time and personnel - to develop these plans, delaying and possibly distracting these agencies from their current cybersecurity activities and operations."
But for the most part, those recommendations have not been implemented, she points out. "They have consistently called for the need for leadership, follow-through and operationalization of the policies," says Hathaway, a senior adviser on cybersecurity at the Harvard Kennedy School's Belfer Center for Science and International Affairs.
Hathaway says the cybersecurity executive order signed by President Donald Trump on May 11, which directs the government to further study the problem, will add dozens of new reports in 14 areas (see Trump Finally Signs Cybersecurity Executive Order).
"This will require every agency to dedicate precious and shrinking resources - time and personnel - to develop these plans, delaying and possibly distracting these agencies from their current cybersecurity activities and operations," Hathaway says.
Hathaway is a veteran of cybersecurity strategy development. In February 2009, a new president - Obama - tapped Hathaway to conduct a policy review that became the basis of the Obama administration's cybersecurity policy.
She acknowledges that modernizing government IT is "desperately needed" and is consistent with congressional initiatives. "It is essential that we clean up our infected infrastructures," the former presidential adviser says.
"It is clear that cybersecurity is an important priority to President Trump," Hathaway says. "I am happy to see new initiatives along with continuity of some of the important activities that commenced under Presidents Obama and Bush."
Hathaway created a table that lists the new executive order's 14 requested reports, deadlines to complete the studies, lead agencies overseeing the studies and the recipients of the reports. The primary recipient for most of the reports is Thomas Bossert, assistant to the president for homeland security and counterterrorism. Bossert's portfolio includes cybersecurity.
|Risk Management Report (using NIST Framework)||90 Days||All Agencies||OMB|
|Governmentwide Risk Assessment||150 Days||OMB with support from DHS, DoC, GSA||Assistant to the President for Homeland Security and Counterterrorism (APHSCT)|
|Modernizing Federal IT - Shared IT Services||90 Days||DHS, OMB, GSA, DoC||Director, American Technology Council|
|Modernizing Federal IT - Shared IT Services for National Security Systems||150 Days||DNI and DoD||Assistant to the President for National Security Affairs (APNSA) and APHSCT|
|Supporting and Engaging Section 9 Entities - Cybersecurity Risk Management||180 Days (report annually)||DHS with others||APHSCT|
|Market Transparency for Critical Infrastructure Entities||90 Days||DHS and DoC||APHSCT|
|Increase Resilience to Automated Distributed Threats (Botnets) (Draft Report)||240 Days||DOC and DHS||Public Report|
|Increase Resilience to Automated Distributed Threats (Botnets) (Final Report)||365 Days||DOC and DHS||POTUS|
|Assessment of Electric Sub-sector Incident Response Capabilities||90 Days||DOE and DHS||APHSCT|
|Risks to Defense Industrial Base, Including Supply Chain||90 Days||DoD, DHS, FBI with support from DNI||APNSA and APHSCT|
|Strategic Options for Deterrence||90 Days||DoS, Treasury, DoD, AG, DHS, and USTR||APNSA and APHSCT|
|International Cybersecurity Priorities||45 Days||DoS, Treasury, DoD, DoC, DHS, AG, FBI||POTUS|
|Engagement Strategy for International Cooperation||135 Days||DoS||APHSCT|
|Cybersecurity Workforce Strategy||120 Days||DoC and DHS, with support from Labor, Education, OPM||APHSCT|
|Cybersecurity Workforce Strategies of Other Nations||60 Days||DNI||APHSCT|
|Cyber Capabilities Assessment||150 Days||DoD||APHSCT|