The revised – and still draft – version of the Trump Administration's first Executive Order (EO) on cybersecurity shows both continuity and positive change over the Obama Administration's policy pronouncements, addressing federal agency network protection, critical infrastructure cybersecurity, and national cyber defense priorities.
Federal Networks and the new EO
The current EO establishes the NIST Cybersecurity Framework (NIST CF) as the functional baseline for evaluation of performance of federal network cybersecurity, a valuable restatement of prior policy. Agency heads are to be held accountable for the cyber risk management of their agency systems, charged with "operating integrated teams of IT, security, budgeting, acquisition, law, privacy, and human resources." This means that cyber risks are to be normalized and addressed in the ordinary management processes of federal agencies. If properly implemented, this represents an important reinforcement of management principles applied to cyber risk and best practice implementation. Treating cyber risks as an ordinary part of the operational environment confronting an enterprise directs managers’ attention to a new and possibly unfamiliar set of business challenges. Their responses – including the use of return on investment (ROI) reasoning for protections – is a necessary part of normalizing cyber risk management as a part of routine business planning. Additionally, the draft EO expresses life cycle cyber security management principles as findings addressing policy requirements. End-of-Life (EOL) issues affecting legacy IT infrastructure also receive special attention in the draft, a welcome improvement. Risk management reporting to OMB by agency heads receives a jump start through a 60-day requirement for a cyber risk management report. Intriguingly, the EO focuses on formalized "risk acceptance statements" as a key element in management of unmitigated cyber risks – a new development. OMB is to evaluate agency reporting alongside GSA and the Secretary of Commerce (NIST’s parent agency), and to put together a cross-agency plan achieving objectives aligned within the NIST CF umbrella.
Critical Infrastructure Cybersecurity
The Obama Administration's PPD-21 – Critical Infrastructure Security and Resilience – continues as the overarching executive branch focal point for critical infrastructure naming prioritization. Separately, however, the new executive order narrows focus significantly to PPD-21s companion document, Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. The draft order focuses on those critical infrastructure elements identified under EO 13636's Section 9 – namely, those at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. The focus here is on the vital subset of the critical assets and systems with enhanced support directed to private sector cyber risk management efforts, which will receive targeted analysis, findings, and recommendations in a report due within 180 days. Further visible in the draft EO is a separate "core communications infrastructure" concept that identifies reinforcement of communications sector owner operator resilience planning as a policy focus. Similarly, a separate assessment and focus on electricity disruption response capabilities would see the Secretaries of Homeland Security and Energy assess the scope and duration of possible cyber threats to critical infrastructure with a 90-day report back period for a consequence management and risk mitigation plan. In an interesting extension of the PPD-21 focus on information sharing, the draft order Section 2 (C) – Supporting Transparency in the Marketplace is a clear departure in federal policy, moving beyond encouraging information sharing through voluntary measures to active promotion of cyber risk management transparency through disclosure practices using market signals. By focusing on publicly traded critical infrastructure companies, this effort builds on prior SEC rule-making to achieve a broader enrichment of public understanding of key infrastructure cyber protections. This is a potentially useful public airing of otherwise largely opaque risk management practices. Defense Department concerns receive special attention in the document, with DoD, DHS, the FBI and the ODNI directed to prepare a report in 90 days to the Special Assistant to the President for Homeland Security and Counter Terrorism and the Special Assistant for National Security Affairs on cybersecurity in the defense industrial base, including supply chain risks impacting platform IT and business systems.
Cybersecurity for the Nation
The most interesting part of the draft order is the linking in Section 3 of a "Deterrence and Protection" (Section b) focus with an "Internet Freedom and Governance" (Section c) mission – the only part of the order where the Department of State takes a central role. These sections link sustainment of multi stakeholder internet governance to successful deterrence of adversaries and enhanced cyber protections. The linkage is skillfully argued and promises a useful alteration in US policies in a number of international fora. The new focus argues for greater emphasis on Allies and partners cyber defense collaboration, perhaps at the expense of UN-centric cyber norms discussion. Juxtaposed with NATO's recognition of cyber as an operational military domain, this order should be reassuring to allies and partners in both Europe and Asia. The order also identifies interoperability, reliability and security on the Internet as a key value, with fraud detection and privacy protection also listed as important values. The brief treatment of these issues is indicative a shift toward national security and critical node risk management and away from privacy concerns focusing on consumers. The Trump Administration's current draft executive order on cybersecurity is fundamentally better than the prior leaked version – perhaps accounting for the delay in the EO's release. It offers a focused approach to cybersecurity, balancing short-term reviews of policy with clear management principles favoring prioritization of Section 9 infrastructure systems, highlighting communications and electricity disruption as key concerns, and using market principles to enhance private sector transparency on infrastructure risk management practices. The integration of deterrence with a defense of multi-stakeholder governance of the Internet is a surprising and welcome development – focusing US cyber diplomacy in Allied forums and away from any simple continuation of UN-centered cyber norms activity.
About the Author: David Mussington PhD is Professor of the Practice and Director of the Center for Public Policy and Private Enterprise at the University of Maryland, and a Senior Fellow at the Center for International Governance Innovation (CIGI). Dr. Mussington served on the Obama Administration National Security Council staff, and was Senior Advisor for Cyber Policy at the Office of the Secretary of Defense. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.