“Controversial” has been the word most often attached to President Donald Trump’s executive orders since taking office in January. From his order banning immigration from seven majority Muslim countries to his roll back of the previous administration’s executive orders targeting air pollution, President Trump has invited court challenges and inspired street protests at almost every turn.
Which is why a draft executive order on cybersecurity is so disorienting – a missive from the new President that’s generating little heat and light because – truth be told – the thing makes a heck of a lot of sense.
Here’s the deal: the previous Administration endured a number of high profile and embarrassing cyber attacks on federal agencies. These ranged from the leaks by former Booz Allen Hamilton employee Edward Snowden to the hack of the Office of Personnel Management. It’s also true that President Trump inherited several information security initiatives started under the Obama Administration. Those range from an (apparent) cover campaign of cyber attacks intended to disrupt North Korea’s rogue nuclear weapons program to the 44th president’s Executive Order for Improving Critical Infrastructure Cybersecurity (2013) and Cybersecurity National Action Plan (2014), which included the creation of a Federal CISO and plans to invest billions in IT modernization within the government.
From the start, the Trump Administration talked about the need for a top-down review of government IT and cybersecurity programs. I interviewed Trump advisor Lt. Gen. Mike Flynn in October, a month before the election, and this cyber ‘stand down’ was high on his list of priorities. So too was the idea of accountability – that the people in charge of government agencies needed to own responsibility for the security of their networks.
Some of those ideas – and others – appear to have found a home in a draft executive order posted on the blog Lawfare, which outlines the new Administration’s plans on cybersecurity within the Executive Branch. Agency Heads, the order says, “will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or systems.” Accountability will also extend to planning – “ensuring that information security management processes are aligned with strategic, operational, and budgetary planning processes.”
In an IT procurement environment in which bad deeds (or just incompetence) often go unpunished, that kind of top-down accountability is hard to argue with. More important, however, is the focus on risk-based assessments and the need to align cybersecurity to high-risk exposures, from software vulnerabilities to the use of obsolete platforms.
“Effective risk management involves more than just protecting networks and data currently in place. It also requires planning so that future maintenance, improvements, and modernization occur in a coordinated fashion and with appropriate regularity.” Failing to apply patches or follow configuration guidelines that ensure security, or continuing to use software beyond the vendor’s support lifecycle are all examples of risk management failings. And, once again – hard to find fault there.
As for how agency heads should assess their risk, the executive order is refreshingly specific. NIST’s Framework for Improving Critical Infrastructure Cybersecurity is the Bible for assessing and improving agency risk. Agency Heads will need to provide a report to the Director of the Office of Management and Budget (OMB) and the Secretary of Homeland Security within 90 days describing the agency’s implementation of the Framework, including an overview of steps to mitigate risks.
On the modernization front, the Trump executive order instructs agency heads to “show preference” in IT procurement for “shared IT services” “including email, cloud and cybersecurity services” and call for a report on the feasibility and cost effectiveness of “transitioning all agencies to one or more consolidated network architectures.”
Despite Mr. Trump’s frequent criticism of his predecessor, the executive order on cybersecurity builds on Mr. Obama’s previous cybersecurity orders, calling on the Federal Government to identify capabilities and “authorities” that agencies can deploy to support cybersecurity efforts by critical infrastructure owners and operators.
The order calls, also, for an examination of the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cyber risk management practices by critical infrastructure entities, focusing on “publicly traded critical infrastructure entities.” With so much of the U.S. critical infrastructure in private hands, such initiatives are priceless.
As recent events have shown, cybersecurity is one of the most pressing problems facing both the private and the public sector. In the heated and partisan atmosphere of Washington D.C., it’s also notable for being one of those rare arenas of bi-partisan consensus. The draft executive order on cybersecurity reflects that and suggests that in this arena, anyway, the Trump Administration seems poised not to “shake things up” so much as carry forward the progress of the Obama years in a sober way: implementing programs that seem designed to strengthen and improve government networks and better protect the security of government systems and data. Here, in other words, there is cause for hope.