A week before Inauguration Day, then-President-elect Donald Trump raised the possibility that his administration would unveil substantial cybersecurity policy changes by springtime. The White House would release “a major report on hacking defense” within 90 days, he said. Almost immediately, however, the new administration signaled it would need additional time to start developing its cyber policy approach. On Jan. 31, the president postponed at the last minute the signing of the executive order (EO) that was intended to launch key cyber policy reviews, recognizing the need to revise the draft directive.
The final version of the EO, signed May 11, 2017, contains three main sections devoted to the cybersecurity of federal networks, critical infrastructure and the nation. It is a significant improvement relative to the early draft. It does not, however, amount to a major report on hacking defense. Rather, it marks the start of policy reviews initially planned for earlier in the administration. It steers clear of setting new requirements for industry and does not address how the U.S. government might better deter cyber threats to critical infrastructure. The EO’s focus on launching studies has been met with some criticism on Capitol Hill. The directive does, however, have significant implications for federal cybersecurity. Further, although the EO does not set requirements for companies, there are several potential ways it might increase long-term pressure on industry leaders to improve their cyber risk management. Here are some key points to consider when reading the EO:
The EO calls for greater accountability for agency heads to manage cyber risks across their enterprises and establishes a new requirement for federal agencies to use a voluntary framework of cybersecurity standards developed by the National Institute of Standards and Technology (NIST) during the Obama administration.
Federal agencies should expect pressure to maximize effective use of the NIST Framework, measure progress and change their cybersecurity culture to more closely resemble the vigilance associated with high performance in the Defense Department. (During his confirmation hearing, Office of Management and Budget (OMB) Director Mick Mulvaney cited DOD as role model for the civilian government in terms of cybersecurity culture.)
The EO not only requires adherence to the framework and documentation of unmitigated vulnerabilities but also calls for each agency's risk management plan to include an "action plan" for implementing the NIST cybersecurity framework. It also calls for a review on developing more modern, resilient federal IT, including more use of cloud computing. Shared IT environments, common operations functions and cloud technology can reduce attack surfaces, allowing government and commercial organizations to concentrate controls—but risks must be properly identified before IT and operations can be simplified.
Although the EO does not set new requirements for the private sector, its emphasis on stronger accountability for government leaders could in the long term set the stage for the White House to make similar calls for greater accountability for industry leaders, particularly in sectors most vital for U.S. national and economic security.
Improving cyber risk management is increasingly important for critical infrastructure owners and operators. We could see more scrutiny of such efforts by authorities, particularly in key sectors subject to focused reviews. If the federal government ends up having substantial internal dialogue on how to use metrics with the NIST Framework to assess agencies’ cybersecurity efforts, that might also eventually inform regulators’ thinking about how to measure and assess industry’s use of the NIST Framework. Like agency heads, business leaders must know the cybersecurity risks they face. Periodic or continuous reporting of cyber risks is the new normal for business leaders—no different than any other risk that businesses face.
The EO calls for the Department of Homeland Security and the Commerce Department to report to the White House on the sufficiency of existing federal policies and practices to “promote appropriate market transparency” of cyber risk management practices by critical infrastructure entities, with a focus on publicly traded companies. This could ultimately pave the way for more disclosures of cyber risks to investors. It might also signal an interest by the administration in enabling more detailed and effective assessments of the risk management of key infrastructure companies.
Greater transparency could, in turn, inform the government’s use of use of tools—carrots or sticks—to incentivize or compel improvement. In a May 11 statement on the EO, Rep. Jim Langevin (D-RI) underscored his interest in this section. “I have written repeatedly to the Securities and Exchange Commission asking them to strengthen shareholder protections in this regard, and I believe increased disclosure will help drive needed investments in and attention to cybersecurity,” he said in the statement. Chairman Jay Clayton, the new head of the Securities and Exchange Commission, said during his March 23 Senate confirmation hearing that he does not believe there is enough disclosure about whether there is oversight at the board level of cybersecurity issues.
The EO leaves untouched the Department of Homeland Security’s lead role in aiding critical infrastructure with cybersecurity. It is possible that the cyber deterrence review will lead to a more prominent role for the Defense Department (including U.S. Cyber Command and the National Security Agency) in terms of defending critical infrastructure from cyber attacks and aiming to prevent adversaries from launching cyberattacks or hacking operations. Notably, however, the deterrence review will be led jointly by the secretary of state, the treasury secretary, the defense secretary, the attorney general, the commerce secretary, the homeland security secretary and the U.S. trade representative, in coordination with the director of national intelligence.
If DOD involvement in supporting critical infrastructure is ultimately expanded, U.S. critical infrastructure sectors might have to increasingly answer to DOD’s higher expectations about how sectors should manage cyber risks. During a September 2015 Senate Intelligence Committee hearing, for instance, Adm. Michael Rogers, head of U.S. Cyber Command and the National Security Agency, said U.S. critical infrastructure sectors had mediocre cybersecurity, a severe problem that put U.S. national security at risk. In reference to 16 critical sectors, Rogers said that he would assign each a score of five or six on a scale of one to ten. “That’s not where we need to be—clearly,” he said.
The EO says owners and operators of high-risk infrastructure will have an opportunity during a review led by the Department of Homeland Security—in coordination with DOD, the Justice Department, the director of national intelligence, the Federal Bureau of Investigation and appropriate sector-specific agencies—to provide input on how federal agencies’ capabilities could better support critical infrastructure. These industry entities were previously identified in assessment under section 9 of former President Obama’s 2013 executive order on cybersecurity for critical infrastructure. The list is not public.
DHS identified more than 60 entities in U.S. critical infrastructure where damage, caused by a single cyber incident, could reasonably result in $50 billion in economic damages, or 2,500 immediate deaths or a severe degradation of our national defense, as Sen. Susan Collins (R-ME) noted in a September 2015 Senate Intelligence Committee hearing.
Three distinct reviews called for in the EO would aim to spur greater resilience in the communications sector to address botnet threats; improve risk management in the Defense Department and the defense industry (including supply chain issues); and address the implications of a major cyberattack on power grid. The “Assessment of Electricity Disruption Response Capabilities” would look at the readiness of the United States to manage the consequences of a major cyberattack against the electric subsector and any shortcomings in assets and capabilities required to mitigate the consequences of such an incident. This review would likely assess the readiness of not only government but also multiple industry sectors. This seems likely based on a June 2016 Homeland Security Advisory Council report on cyber incident response. The 2016 report noted that post-cyberattack power restoration would require significant coordination among utilities, and between electric subsector and senior government officials. Further, it stated that consequence management is focused on “the manifestation of impacts across the various infrastructure sectors as a result of the underlying cyber issues.” The Trump administration’s “Assessment of Electricity Disruption Response Capabilities” might include not only the electric subsector but also financial and communications sectors given that the 2016 report discussed how a cross-sector attack (striking the electric, communications, and financial sectors) would complicate power restoration. The 2016 report’s recommendations—which proposed options to strengthen cross-sector resilience—might provide a starting point for DHS as it begins the Trump administration’s “Assessment of Electricity Disruption Response Capabilities.”
The “America First” doctrine introduced at the outset of the Trump administration raised questions about whether the White House would pull back from global leadership on developing norms of behavior in cyberspace, and potentially miss opportunities to improve cybersecurity information sharing across international borders. The EO, however, takes a different approach by underscoring the need to work with allies and by including language directing the secretary of state to develop a new strategy for international cooperation in cybersecurity.
The EO calls for multiple reviews aimed at expanding the U.S. cybersecurity workforce to ensure the United States maintains a long-term competitive advantage. Language on the subject was included in the January EO draft, then deleted in the version leaked to the press in February. Ultimately, the administration decided it was too important a subject to exclude from the directive. The importance of workforce development, education and training in this arena will likely grow significantly in the coming years as cyber risk landscape continues to expand.