President Donald Trump recently signed an Executive Order on cybersecurity, "Strengthening the Cybersecurity Federal Networks and Critical Infrastructure." The EO is divided into sections on:
- cybersecurity of federal networks
- cybersecurity of critical infrastructure (CI) to support CI at greatest risk
- cybersecurity risks to the defense industrial base
- strategic options for deterrence and protection of the nation
- international cooperation and
- workforce development.
The EO escalates CI cybersecurity to a greater priority in federal policy, tasking cabinet-level departments and sector specific agencies with identifying and utilizing capabilities to support the cybersecurity risk management efforts of CI at greatest risk. It also addresses particular sectorial cybersecurity risks and capabilities concerning the communications and information technology sectors, the defense industrial base and the electricity subsector. Additionally, the EO contains an ambitious plan for updating and upgrading federal networks, which will ultimately be subject to Congressional oversight and appropriations.
The EO creates a new role for the Department of Defense in evaluating private sector CI and the capabilities of the Executive Branch to support CI cybersecurity risk management efforts, and in identifying stakeholder actions to promote the resilience of the Internet and communications ecosystem. There was significant concern voiced prior to the release of the EO over initial proposals to provide a role for DOD with respect to private sector CI and the militarization of what have until now been civilian duties led by the Department of Homeland Security. The EO contains a scaled-back role for DOD compared to draft versions of the EO with respect to private sector CI and preserves DHS as the primary cybersecurity agency.
Key takeaways from the EO are that the Trump Administration:
- is building upon Obama Administration policies, rather than deviating sharply
- is prioritizing strengthening both private sector CI and federal government cybersecurity
- is committed to updating federal government IT and
- plans to draw on existing Executive Branch capabilities as a resource for the private sector.
Critical infrastructure cybersecurity strategy
The EO establishes a policy of supporting CI cybersecurity risk management efforts and, in doing so, requires the Secretaries of Homeland Security and Defense, the Attorney General, the Directors of National Intelligence and the FBI, and heads of appropriate sector specific agencies to report to the President within 180 days with recommendations on how to better support the cybersecurity efforts of CI entities. The language does not apply to some CI entities, only those that are at the greatest risk of attack that could have catastrophic consequences on public health or safety, or economic or national security. These CI entities have been previously designated by DHS. The list of these designees is relatively short, but is not publicly available.
The report is required to detail the authorities and capabilities that agencies could employ to help advance CI cybersecurity risk management. CI entities have the option, in the report, to provide input on how to better support their risk management. This may be a good opportunity for CI entities to help shape the cybersecurity framework during this Administration. The policy of having executive branch agencies use their capacities to help advance CI cybersecurity reflects some similarities to the incentives plan which was envisioned under President Barack Obama's cybersecurity Executive Order, but which never translated to concrete agency actions.
The EO requires the Secretary of Homeland Security in coordination with the Secretary of Commerce to report to the President within 90 days on whether existing federal policies sufficiently promote CI entities transparency on cybersecurity risk management, with a focus on publicly traded companies. This record could potentially be used as the foundation for SEC guidance or regulations increasing transparency on cybersecurity for investors.
The EO creates a process for establishing a strategy on combating botnets and other automated, distributed threats in order to improve the resilience of the Internet and communications ecosystem. The Secretaries of Commerce and Homeland Security will lead the process, with input from other interested federal departments and agencies, among them the Secretary of Defense, FCC, FTC and other appropriate stakeholders. The Secretaries will issue a preliminary report within 240 days and a final report by May 11, 2018. The consultation with other appropriate stakeholders includes the private sector. Note that this process presents an opportunity for companies in the Internet ecosystem, including those involved with cybersecurity, to participate in the dialogue that will serve as the foundation for the final report. One component of private sector participation is filing comments in response to the Request for Comment (RFC) released by the National Telecommunications and Information Administration on behalf of the Department of Commerce on June 8, asking about potential solutions and approaches to the challenge of automated, distributed attacks and how to protect IoT devices in particular. The RFC will be followed by a National Institute of Standards and Technology (NIST) workshop July 11-12 on solutions to advance the resiliency of the Internet against automated attacks. Comments are due 30 days from publication in the Federal Register, which hadn’t occurred as of the date of this publication.
The EO requires the Secretaries of Energy and Homeland Security to review and report within 90 days on cybersecurity threats to the power grid, the scope and duration of a prolonged power outage resulting from a cybersecurity attack, and any gaps or shortcomings in mitigation capabilities. The electricity subsector is specifically addressed, due to the interconnected and interdependent nature of its assets with other CI sectors, such as communications and information technology.
The final subsection of CI cybersecurity addresses defense industrial base cybersecurity. The Secretaries of Defense and Homeland Security and the Directors of the FBI and National Intelligence are required to report to the President within 90 days on cybersecurity risks facing the defense industrial base and its supply chain as well as US military systems and networks. The report will also include risk mitigation recommendations. Ultimately, this report could result in greater regulation of supply chain risk for defense contractors.
Cybersecurity of the nation
The EO establishes that the policy of the Executive Branch is to support an open, secure, interoperable and reliable Internet while respecting privacy and guarding against fraud and theft. There is also language on growing and strengthening the cybersecurity workforce. The Secretaries of State, Treasury, Commerce, Homeland Security and Defense, the US Attorney General and the US Trade Representative, in coordination with the Director of National Intelligence, are slated to report to the President on strategic options for deterring adversaries and protecting against cybersecurity threats. There is also a requirement for the Secretaries of Treasury, Defense, State and Homeland Security, in coordination with the US Attorney General and the Director of the FBI, to submit reports to the President within 45 days on their international cybersecurity priorities, including investigation, attribution, information sharing, response, and capacity building. Within 90 days, the Secretary of State, in coordination with the previously mentioned department and agency heads, will produce an engagement strategy on international cybersecurity cooperation. This roadmap for establishing an international engagement strategy developed from interagency input has the potential to address the shortcomings in current international cybersecurity efforts.
Cybersecurity of federal networks
The EO states that the President will hold heads of Executive Branch agencies accountable for shortcomings in the management of cybersecurity risks to their agency and requires each head to implement risk management measures appropriate for the risk and magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data.
The federal networks findings subsection has extensive discussion of IT and data vulnerabilities, which specifically calls out "antiquated and difficult-to-defend IT," identifying as a weakness departments and agencies using outdated operating systems and hardware and the failure to implement vendor patches or to implement security configuration guidance. The subsection also incorporates the private sector risk management best practice of addressing cybersecurity with an enterprise-wide, cross-discipline team.
The EO requires Executive Branch agencies to use the NIST Cybersecurity Framework and to provide a report to DHS and OMB within 90 days of the EO on the agency's risk management as of the date of the EO and its plan for implementing the Cybersecurity Framework. DHS and OMB are required to assess the reports within 60 days of receipt and report to the President with a plan to adequately protect the Executive Branch and to remedy any insufficiencies.
The EO establishes the policy of the Executive Branch to build and maintain a modern, secure and resilient IT architecture. The approach requires agency heads to "show preference" for shared IT services including email, cloud and cybersecurity services to the extent permitted by law. The Director of the American Technology Council, formed pursuant to a May 1 Executive Order and DHS in consultation with OMB are required to assess a consolidated network architecture and shared cybersecurity services. A consolidated network for federal agencies was proposed by the Cybersecurity Commission that provided recommendations to President Obama in December 2016 and followed on the Obama Administration policy on shared IT services issued in 2012.
The section of the EO on the cybersecurity of federal networks may ultimately result in new opportunities for government contractors that provide network, cloud and cybersecurity services.