Latest Executive Order Draft Promotes Risk-Based ApproachProposal Would Hold Agency Heads Responsible for IT Security
The latest version of the draft of a cybersecurity executive order from the Donald Trump White House would direct the federal government to take a risk-based approach to IT security and hold cabinet secretaries and agency heads responsible for the security of their organizations' IT assets.
The draft executive order also would require federal agencies to adopt the National Institute of Standards and Technology cybersecurity framework as well as encourage agencies to employ shared IT services, including those for email, cloud computing and cybersecurity. In addition, the draft proposes modernizing the government's information technology and IT architecture.
"On balance, it's a good EO," says Herbert Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation. Most of the draft is not prescriptive but calls on assessments of various aspects of safeguarding government IT with reports to be filed by those conducting the appraisals within 60 to 240 days of the signing of the executive order, depending on what's being examined. "It's not meant to stop there," Lin says of the draft executive order. "It's meant to be the first step. These reports will inform further action."
Easier Said Than Done
Experts who reviewed the draft executive order - the third one the Trump administration has circulated - point out that its goals might be easier to state than implement.
Take, for instance, holding the cabinet secretary or agency director ultimately responsible for assuring their department's or agency's IT security.
"There's no doubt that the head of agencies have responsibilities but I can't help but caution they may be being set up to fail," says Steven Chabinsky, global chair of Data, Privacy and cybersecurity at the law firm White & Case and like Lin, a member of President Barack Obama's Commission on Enhancing National Cybersecurity.
That's because government departments and agencies lack the financial wherewithal, security skills and procurement know-how to meet all of the demands to strengthen their IT security, he says. "It's one thing to say that they're responsible; I agree they need responsibility, but that responsibility in my mind is a leadership role that that will bring to the fore what the real issues are," Chabinsky says, at a cybersecurity forum held by the think tank Center for Strategic and International Studies.
Holding heads of agencies responsible for IT security - if properly implemented - is seen as reconceptionalizing cybersecurity as an enterprise risk management issue and not an IT issue. "This would be a real change from current government procedure and a positive one," says Larry Clinton, chief executive of the industry group the Internet Security Alliance. "Such a change would mimic recent positive trends in the private sector where, for example, corporate boards have become increasingly involved in cybersecurity for their organizations and not just relied on IT departments to manage the problem."
Still, Clinton says it's doubtful that most agency heads have much, if any, appreciation of the critical subtleties of cybersecurity. "If the agency heads simply delegate the responsibility to the IT departments there will be no progress," he says.
Clinton suggests the federal government follow the lead of some corporations that provide training to their boards of directors in cybersecurity risk management and provide similar programs to agency heads and lawmakers.
Another sign the Trump administration wants to take a risk-based approach toward IT security is the call in the draft executive order that agencies adopt the cybersecurity framework, a 3-year-old guide published by NIST aimed at protecting the information assets of critical infrastructure provider, to manage their risk. The framework has proven popular among many businesses and some government agencies, even those not considered critical infrastructure. Legislation before the House of Representatives would require federal agencies to implement the cybersecurity framework (see Panel Oks Plan for NIST to Audit Framework Implementation).
Is Cybersecurity Framework a Must?
But a former DHS assistant secretary for cybersecurity and communications in the George W. Bush administration, Greg Garcia, questions the need for agencies to adopt the cybersecurity framework. "It seems to be a distraction to hold agencies accountable to the NIST cybersecurity framework when they're already required to comply with the far more rigorous and measurable NIST guidance," Garcia says, referring to NIST Special Publications 800-53 and 800-37, which respectively cover security and privacy controls and applying risk management principles. "I can see some value in mapping those to the framework but it isn't clear what the framework would add to agencies' security posture."
Whether through the cybersecurity framework, NIST guidance or other approaches, Stanford's Lin says, employing a cybersecurity risk management approach doesn't necessarily assure that an agency's IT systems and data will be secure. "Risk management is a buzz phrase; it depends on how people who oversee it understand the term," Lin says.
Assessing cybersecurity risks requires the balancing of security against the agency's mission that information technology facilitates. "It's essentially a tradeoff," he says. "I'm willing to accept some risk, but not an infinite amount of risk. How much is some? I still have to get my mission done. Am I willing to achieve some compromises? Well, maybe."
'Can't Have Perfect Everything'
Taking a system down a day to patch a significant security vulnerability could be acceptable, but taking it down for a week wouldn't be. "The agency has to manage that kind of risk," Lin says. "But then it's not fair to say to them, 'You have to have 100 percent availability, 100 percent functionality and zero risk.' You can't do that. ... You can't have perfect everything, you have to make compromises."
The draft executive order calls on agencies heads to assess sharing IT services, such as email and cloud services, with other agencies, and evaluating the architecture needed to do so. Karen Evans, national director of the U.S. Cyber Challenge and cybersecurity adviser to the Trump transition team, says agencies more likely will share IT services if the focus is on security rather than cost savings. Evans, who held the top IT post in the George W. Bush White House, says taking a security approach to shared service would allow agencies to identify the best technical offerings to safeguard IT. "If we actually looked at those models in shared service and looked at it from a national security perspective ... then all international and nation policies would evolve from that," Evans says, speaking at the CSIS cybersecurity event. "Now, your technical solutions can evolve from that."
Rough Edges Filed Off
The latest draft executive order is seen as a cleaner version than earlier ones. "The rough edges of previous drafts have been filed off, so the document is more clear," says Garcia, executive vice president at Signal Group, a Washington lobbying and digital strategy company. "It hits the right notes for resetting federal agency security and shared IT services."
What's missing from the latest draft that existed in an earlier one was a call for incentives to organizations to adopt IT security measures. " The need to rebalance the economic incentives that are generated by the digital economy are clear and ought to be a part of the new president's plans," Clinton says.