Assessing the Latest Draft Cybersecurity Executive OrderTrump Administration Takes Its Time to Refine InfoSec Policy
The latest draft version of the Trump administration's cybersecurity executive order is similar to the previous version and lays out a plan to secure U.S. federal government and critical infrastructure IT that could have come out of the Barack Obama White House, including modernizing federal IT.
"That fact that they are focusing on IT modernization as a core component of improving federal cybersecurity is a good thing and one that further demonstrates some welcome continuity between the Obama administration's approach to cybersecurity and the new administration," says Jeremy Grant, a Chertoff Group managing director, who led the National Strategy for Trusted Identities in Cyberspace initiative during the Obama presidency.
Expectations of an early release of the cybersecurity executive order, or EO, have faded as one draft version after another slowly gets distributed among stakeholders. "All rumors that something is imminent are just that," says Grant, who adds that administration insiders tell him they continue to make changes in the EO.
Plus, the Trump administration is still building its IT and IT security team that would need to help implement the EO. The president has yet to name a federal chief information officer and federal chief information security officer, although some media reports say those appointments could come soon.
Emphasis on Risk-Based Approach
The latest version of the cybersecurity executive order - believed to be the fourth one and drafted about a month ago - isn't much different from the third rendition that came out in late February or early March (see Latest Executive Order Draft Promotes Risk-Based Approach). Both draft EOs emphasize a risk-based approach to IT security, have agencies employ the NIST cybersecurity framework, hold departmental secretaries and agency directors responsible for the security of their organizations' digital assets and promote a government-wide initiative to modernize information technology, in part, to ensure more secure systems. The earliest versions of the cybersecurity EO, unlike the recent ones, placed a greater emphasis on the military defending the nation's IT.
"This is evolutionary, not revolutionary," says Paul Rosenzweig, a homeland security consultant who served as DHS deputy assistant secretary for policy during the Bush administration.
What's new in the latest EO draft? It includes a section on workforce development. The draft EO would direct the secretaries of commerce and homeland security, with help from other agencies, to assess the state of efforts to train the American cybersecurity workforce of the future. The draft EO also would charge the director of national intelligence to "review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term U.S. cybersecurity competitiveness."
A major component of the draft EO calls for modernizing federal IT, which also is a priority for President Donald Trump and his administration. On May 1, Trump signed an executive order establishing the American Technology Council - which he'll chair - to transform and modernize government information technology and how it uses and delivers digital services. Trump also named his son-in-law and Assistant to the President Jared Kushner to lead the White House Office of American Innovation, which will oversee the administration IT modernization initiative.
Modernizing federal IT has bipartisan support. The Obama administration promoted the idea of modernizing federal government IT in an April 2016 initiative (see White House Proposes $3 Billion Fund to Modernize Federal IT). Late last month, a group Democratic and Republican lawmakers unveiled legislation to modernize federal government IT, in part, to improve system security (see Legislation to Modernize Federal IT Reintroduced in Congress) .
Many security experts see modernizing IT as a critical means to improve security. "Many federal systems are exceedingly difficult to defend, due to their age, and the only way to remedy that situation is to change the IT," says Michael Daniel, president of the Cyber Threat Alliance, a not-for-profit, industry-sponsored information sharing and analysis organization and former Obama White House cybersecurity coordinator.
But not everyone equates modernizing IT with improved security. "There is still this misguided notion that you have to modernize IT to better secure IT," says IT security consultant Robert Bigman, the former chief information security officer at the CIA. "This is not an evidence-based observation and is largely pushed by IT vendors/contractors. The notion that the same people who could not secure older and simpler technology can now better secure modern and more complicated IT is ludicrous."
Larry Clinton, president of the industry trade group Internet Security Alliance, suggests modernizing the technology, on its own, won't toughen security. "The government already has purchased advanced technology but doesn't have the personnel to properly use it and thus these investments are largely wasted," he says. "We need to modernize our IT systems which includes upgrading the personnel as well as the technology."
Another provision in the draft EO calls on the secretaries of commerce and homeland security to head an initiative that includes the private sector to reduce the threats posed by botnets. "Work on such threats is critical, given what we have seen in the wild and the vulnerability of the ecosystem to such threats," says Philip Reitinger, chief executive of the Global Cyber Alliance, a not-for-profit that seeks solutions to systemic cyber risks.
"What I don't see is consideration of the even more significant threats that IoT (internet of things) devices can present, not from automated attacks, but self-destruction [such as] an attack that would brick several million smart meters or cars," says Reitinger, the former Sony CISO and a former top DHS cybersecurity policymaker. "Those may be intended to be included, or such threats may be under consideration elsewhere. But I want to make sure we are not letting the immediate threat take our eyes from the long-term threat."
One complaint expressed by some experts is the importance given to some critical infrastructure sectors over others. The draft EO emphasizes so-called Section 9 critical infrastructure sectors, which, if disrupted, would results in catastrophic effects on public health, safety, economic security and national security. Those sectors include telecommunications, electric and energy and defense industrial base.
"The EO loses some coherence when it calls out protection for the specific critical infrastructure sectors of communications and electricity, while bundling the other, unnamed critical sectors under one section for review," Signal Group Executive Vice President Greg Garcia says.
Seeking Equal Treatment
"All 17 sectors should all be treated with equal concern because the failure or disruption of any one of them could result in loss of life," says Garcia, a former DHS assistant secretary for cybersecurity and communications and former executive director of the Financial Services Sector Coordinating Council. "What if, for example, hackers infiltrated an industrial control system that manages public water purification, resulting in over-chlorination and poisoning of the public water supply? This is a real threat, and why is that not specifically called out?"
But the Internet Security Alliance's Clinton sees the emphasis on the defense industrial base in particular as being critical, especially as it relates to smaller defense contractors. "We have the prime contractors who do a very good job with cybersecurity," Clinton says, "but we also now have a large number of smaller firms in the supply chain that don't have the economies of scope and scale to fend off sophisticated attacks, and that is a very serious problem."
One persistent gripe echoed by a number of experts is that the executive order calls for too many studies to be conducted. The latest EO includes deadlines for more than 15 reports and studies. "It kicks the can down the road," says Martin Libicki, a cybersecurity expert at the think tank The Rand Corp.
Several experts point out that cybersecurity has been studied ad infinitum, and though some new studies are justified, not all of them are needed. Action, not study, is what they seek. "Waiting for yet another report to say the same things only increases the risk on easy to implement controls," says Viewpost Chief Security Officer Christopher Pierson, who has advised several homeland security secretaries on data privacy and integrity.