The President finally signed the long-awaited, once-delayed cybersecurity executive order on May 11, with less of the public flourish normally accorded the President’s recent executive orders (I’ll have a “Waiting for Godot”, to go, please).
The EO has evolved since earlier drafts. To the Trump administration’s credit, the EO’s development was given more time to incubate under the warm review – rather than post-hoc white heat – of affected stakeholders.
This in my view is generally a good statement of administration policy on cybersecurity – more evolutionary than revolutionary – but with a few question marks.
Key to the policy is the explicit linkage between cyber risk management and IT modernization in the federal enterprise, particularly in shared IT and cloud services. As my friend Tom Bossert, the President’s Homeland Security Advisor, smartly pointed out today in summarizing the EO, “We can’t promote innovation without first thinking through risk reduction.” So now it’s about execution and enforcement: the focus on IT modernization and building security requirements into acquisition requires aggressive implementation. That won’t be easy but it’s the right policy.
Indeed, the right policy about cyber risk management increasingly points to the NIST Cybersecurity Framework, the result of a public-private drafting partnership begun in February 2013 and promulgated one year later. The EO requires agencies to align with this framework, but is silent about agencies’ existing requirement to comply with much more detailed NIST standards for federal information security management – the so-called NIST 800-53 and 800-37 guidances. This could become a confusing distraction for agencies in the short run as they attempt to map the far more rigorous and measurable NIST guidances to the broader Cybersecurity Framework.
It remains to be seen if this will result in better, more efficient cybersecurity risk management across the federal enterprise. But one value of the higher-level NIST Cyber Framework is that it is understandable by agency leadership, not just technical management, and thus perhaps promotes a higher level of accountability among the political ranks, just as Trump is demanding.
The EO checks an important box for cyber workforce development. Workforce skills shortage remains a gaping hole in our national cyber protection and response capability. There are too few skilled cyber warriors playing reverse musical chairs with recruiters: new chairs keep turning up but the seats outnumber the occupants in a continuous bidding war among companies and the government.
One element the administration should consider as part of a workforce development strategy would be a robust federal cyber R&D investment program through the academic community to educate and cultivate a pipeline of next-generation computer scientists and front line defenders. The added benefit of such a program would be the application of that research to innovative new tools and technologies to support cyber risk management and response. This was the concept in the expired Cybersecurity Research and Development Act of 2002, a 5-year, $900 million down payment that needs to be dusted off and doubled down.
The EO also rightly gives attention to the need for international coordination, which is an important recognition of our global interconnectedness. But where the EO reaches beyond our water’s edge, it stops at the DC border. It does not direct its domestic focus beyond federal systems to state and local cyber protection and support. This is essential. There are bipartisan bills in the House and Senate (HR 1344 / S. 516) to provide homeland security grant funding to state and local governments to collectively raise their level of cyber protection. The EO should ask for the same review of state cyber preparedness as it asks for federal.
This would be a forward looking investment. As our nation moves increasingly toward “smart states” and “smart cities”, our national investment in infrastructure modernization must include the related digital infrastructure and cyber capabilities to secure it. This is just one of the recommendations made recently by the Congressionally-chartered Information Security and Privacy Advisory Board (ISPAB) to the incoming president. Indeed, in a May 12 DHS-led public conference-call briefing on the EO, three questions out of the eight or nine taken asked about homeland security cyber grants to the states.
One head-scratcher, however, is in Section 2, which calls for assessments of government support for so-called critical infrastructure sectors, such as financial services, telecommunications, chemicals, electricity, oil and gas, transportation, etc. This is a necessary affirmation and amplification of a public-private partnership that has been ongoing for close to 15 years. But the EO loses some coherence when it calls out special attention to specific critical infrastructure sectors – telecommunications, electricity and defense industrial base – to the exclusion of the others. If the government-identified 16 sectors are considered at “greatest risk” in the EO, what determination has made these 3 specially-named sectors “most greatest risk”? All 16 sectors should be treated with equal concern because, by definition, the failure or disruption of any one of them could impact economic, homeland or national security, public safety or loss of life.
What if, for example, hackers infiltrated an industrial control system that manages public water purification, resulting in over-chlorination and poisoning of the public water supply? This is a real threat, and why is that not specifically called out? If the critical sector reviews ask the right questions of all sectors, including their interdependencies, they will get the answers they need without asking twice.
The even bigger question is whether an executive order that calls for such in-your-knickers sector reviews might result in answers that some will conclude require regulation. The Trump administration is hopefully looking ahead to the range of answers they may have to dodge or steer the inquiries away from. Will the review find that botnets are not ISPs’ fault but a distributed vulnerability that’s far too complex to manage and so let’s just muddle along? Or that they’re a national problem and here’s the risk management solution, with penalties for non-compliance? Neither answer would give comfort.
This slippery slope through the back door of a regulatory house of cards (sorry) applies as well to a directive to examine “the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cyber security risk management practices by …publicly traded critical infrastructure entities….” I feel the subsonic vibration of another SEC 10-K reporting requirement rolling down the track. Or as the great cybersecurity policy commentator Arlo Guthrie sang in “Alice’s Restaurant” in 1968: “…twenty-seven 8 x 10 colored glossy photographs with circles and arrows and a paragraph on the back of each one explainin’ what each one was, to be used as evidence against us.”
Overall, these critiques are nits, as we should trust that implementation will be left to a cyber team led by seasoned pros Tom Bossert and Rob Joyce in the White House, and Chris Krebs and others to be appointed at DHS, along with critical stakeholders who want to do the right thing to secure the country. They will manage what would otherwise be, for lesser minds and spines, an unwieldy process. Policy is always messy, but this is a good start for the Trump administration. It’s off to work we go.