The latest draft of President Trump’s much anticipated cybersecurity executive order was posted to the internet last week by security consultant Paul Rosenzweig. It is not the first and may not be the last draft that gets public scrutiny before the final version is formally published. Although it is currently a draft, it provides detailed insight into what can be expected.
The draft Trump Cybersecurity executive order (EO) follows the recent trend in legislation and regulation to take responsibility for cybersecurity away from the practitioners (CIOs and CISOs) and force it to the top of an organization. Agency Heads will be responsible for security and will be required to report regularly to the OMB and DHS (or the Secretary of Defense and the Director of National Intelligence for national security systems).
The latest draft cybersecurity EO displays semantic rather than substantive changes over the previous leaked version — although with a new section on security workforce development that includes monitoring the workforce development of potential adversaries. The limited changes could suggest that this EO is close to being issued; however, with no federal CISO to replace Gregory Touhill (who resigned Jan. 17) yet announced, it is equally likely there will yet be some delay.
Touhill publicly announced his resignation on LinkedIn. He said, “Frankly, we don’t need more policies, we need to execute the ones we have and eliminate the ones that no longer are aligned with contemporary best practices.”
Nevertheless, he went on to describe what lies at the heart of Trump’s draft EO: “We need a better architecture focused on shared services capabilities rather than one built on organization charts. We need accountability and ownership built into our culture. We need to intelligently leverage cloud computing and mobility solutions that produce effective, efficient, and secure results. We need to do regular risk assessments across each department and agency. We need to better train and regularly exercise our personnel.”
The draft EO does indeed focus on a better and updated architecture, and a risk management approach to securing federal systems. It notes, for example, “The executive branch has for too long accepted antiquated and difficult–to-defend IT.” Not everyone agrees, however, that updating systems should be the priority — with suggestions that securing new and complex systems will be no easier than securing older, more simple systems.
There is no explicit definition of an ‘antiquated’ IT system, although the draft does call out ‘known but unmitigated vulnerabilities’. These include “using operating systems or hardware beyond the vendor’s support lifecycle…” Antiquated may effectively mean ‘no longer supported’; although it is worth noting that on 12 April 2017, Frank Konkel wrote in NextGov, “The U.S. nuclear arsenal is coordinated by the 54-year-old Strategic Automated Command and Control System, run on 1970s-era IBM mainframes that still use 8-inch floppy disks.”
Risk management is specified and required. “Agency Heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data. They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code.”
Risk management is specifically tied to “The Framework for Improving Critical Infrastructure Cybersecurity (the Framework), or any successor document, developed by the National Institute of Standards and Technology to manage the agency’s cybersecurity risk.”
Protecting the critical infrastructure (CI) is another area of focus. Indeed, the executive order is titled, ‘Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure’. The CI is defined as comprising those “entities identified pursuant to section 9 of Executive Order 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity).” The current list identified by the DHS comprises 16 CI sectors, including energy, communications, finance, healthcare, defense and emergency services.
These sectors will be examined to see if federal agencies can provide additional security support in their risk management efforts, and whether there are any obstacles in doing so. There is some criticism, however, that in specifying section 9, 13636 sectors for special treatment, other critical areas (such as water purification and on-line voting) might suffer.
One area that does cover the wider private sector is the desire to promote resilience against botnets and other automated, distributed threats. Here, “The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the Internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
It is perhaps disappointing that there is no specific reference here to the internet of things (IoT); nor indeed any reference to the IoT anywhere in the draft EO. Many security experts fear a dire future of distributed denial of service attacks from IoT-based botnets (such as Mirai); and a more specific targeting of intrinsic IoT insecurity would benefit the entire internet.
The section of the executive order that specifies ‘cybersecurity for the nation’ is limited to broad brush strokes. The ‘policy’ is to “promote an open, interoperable, reliable, and secure Internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” Subsections talk about deterrence and protection (demanding “options for deterring adversaries and better protecting the American people from cyber threats”); international cooperation (requesting “an engagement strategy for international cooperation in cybersecurity”); and workforce development (including, for example, an assessment of “the scope and sufficiency of U.S. efforts to ensure U.S. national security-related cyber capability advantage”).
It would not be possible for a single short document on cybersecurity to satisfy everyone — and there are indeed both strong and weak points in this document. For example, there are fifteen separate reports required by the draft EO, which must be delivered in timescales ranging from 45 days to 240 days from the date of the order. The effect of these reports could be to delay actual implementation of important security policies. It is tempting to refer to the words former federal CISO Gregory Touhill: “We don’t need more policies, we need to execute the ones we have…”
One very strong point, however, is that the policy outlined by this executive order (albeit just a draft for now) builds on the cybersecurity efforts already achieved by the previous administration. This will promote an invaluable bi-partisan approach to the future of federal and critical infrastructure security.