The Cybersecurity Executive Orders: A Tale of Two Trumps

One of President Trump’s planned Executive Orders was on Cybersecurity. Two weeks ago, a draft was circulating – but it was never signed and released.

Last week, a new draft was leaked. While we can’t verify its validity, the leaker is a well-connected Beltway consultant with ties to the Heritage Foundation; he claims he has received the draft text from 3 different sources.

We did a side-by-side comparison of the two drafts. There is a huge difference. It’s like night and day, Dr. Jekyll and Mr. Hyde, or maybe Steve Bannon and Paul Ryan. The first draft managed to be both aggressively nationalistic and short on useful substance.

The second draft is calmer, more focused and better-informed; it reads like it was vetted and amended by an interagency task force that included the Commerce Department, NIST, the State Department and the tech industry and not just the Administration, the military and DHS.

It starts with the title. The old EO says it’s all about strengthening the nation’s security and cyber-capabilities. Its first section emphasizes nationalism and strength; the U.S. is so, so tough and intends to shape cyberspace more than anyone else.

STRENGTHENING U.S. CYBER SECURITY AND CAPABILITIES

It is the policy of the United States to defend and enhance the security of the Nation’s cyber infrastructure and capabilities. Free and secure use of cyberspace is essential to advancing US. national interests. The Internet is a vital national resource. Cyberspace must be an environment that fosters effciency, innovation, communication, and economic prosperity without disruption, fraud, theft, or invasion of privacy. The United States is committed to: ensuring the long-term strength of the Nation in cyberspace; preserving the ability of the United States to decisively shape cyberspace relative to other international, state, and non-state actors; employing the full spectrum of our capabilities to defend US. interests in cyberspace; and identifying, disrupting, and defeating malicious cyber actors.

The new EO, in contrast, actually has appropriate and well-defined labels for what it wants to secure: Federal networks and critical infrastructure. It deletes all that junk about how tough we are and notes that the government operates its networks on behalf of the American people. It insists that these facilities be secured “responsibly.” In words reminiscent of IT managers it refers to the executive branch as an “enterprise” and holds Agency heads responsible for “managing risk” across the enterprise.

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

The executive branch of the Federal Government operates its networks on behalf of the American people.  These networks and the data on them should be secured responsibly using all United States Government capabilities.  …it is the policy of the United States to manage cyber risk as an executive branch enterprise.

The first EO’s Findings section starts out on an alarmist note: It’s dangerous out there, we are under siege; we could all die.

“America’s civilian government institutions and critical infrastructure are currently vulnerable to attacks from both state and non-state actors. Criminals, terrorists, and state and non-state actors are engaging in continuous operations that impose significant costs on the U.S. economy and significantly harm vital national interests. These operations may disrupt or disable the functioning of important economic institutions and critical infrastructure, and may potentially cause physical effects that could result in significant property damage and loss of life.”

The Findings of the new EO are rooted in IT risk management practices. It states that the federal government has accepted antiquated systems for too long, and coolly identifies “known but unmitigated vulnerabilities” such as the failure to update operating systems as the “highest risks faced by executive departments and agencies.” It mandates that:

(i)  Agency Heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or systems.  …

(ii) Effective immediately, Agency Heads shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework), or any successor document, developed by the National Institute of Standards and Technology to manage their agency’s cyber risk.

In terms of actual substance, the first EO does little more than call for five reports:

  1. A “Vulnerability review”
  2. An “Adversary review”
  3. A “Cyber capabilities review”
  4. A Workforce Development review
  5. Private sector infrastructure incentives report

In the first four reports the Defense Department and Department of Homeland Security are in the lead. In the 5th report the Commerce Department chairs, Treasury and DHS are involved and can invite the Securities and Exchange Commission and the Federal Trade Commission. The State Department is not mentioned anywhere!

The second EO, in contrast, is more coherently organized. Section 1 focuses on “Federal networks,” Section 2 on “Critical infrastructure,” and Section 3 on “Cybersecurity for the nation.” The agencies involved are significantly broadened, with the Office of Management and Budget (OMB) and the State Department, Commerce Department, US Trade Representative, the Attorney General and even the FCC being mentioned with appropriate roles.

Section 1, as noted before, has a risk management focus and calls for a detailed report on the modernization of the federal government’s IT systems. This report will be led by the Commerce Department, DHS, the Office of Management and Budget (OMB), and the Administrator of General Services. There is a strong emphasis on shared/cloud systems. National security systems must conform to the same recommendations but the modernization effort is separate and will be led by the Secretary of Defense and the Director of National Intelligence.

Section 2 focuses on critical infrastructure. It draws on Obama administration Executive Order 13636 and Presidential Policy Directive 21 of February 12, 2013 and has four components:

  • Supporting Transparency in the Marketplace. A report will examine the sufficiency of existing Federal policies and practices to promote awareness of the cyber risk management practices by critical infrastructure entities
  • Improving the resilience of core communications infrastructure. Sets a goal of reducing threats perpetrated by botnets.
  • A major risk assessment of Electricity Disruption Response Capabilities, involving DHS, the Energy Secretary, and in consultation with State, local, tribal and territorial governments and other stakeholders
  • A report on the cybersecurity risks facing the Department of Defense warfighting capabilities and the defense industry, including its supply chain.

Section 3 of the new EO, on Cybersecurity for the Nation, contains subsections on (a) Policy, (b) Deterrence and Protection, and (c) Internet Freedom and Governance. Compare the Policy section of the prior EO draft (quoted above) with the new one:

It is the policy of the United States to promote an open, interoperable, reliable, and secure Internet that fosters efficiency, innovation, communication, and economic prosperity, and respects privacy, while guarding against disruption, fraud, and theft.

Added is the emphasis on open and interoperable; gone is the claim that the internet is a “vital national resource,” and the reference to “preserving the ability of the United States to decisively shape cyberspace relative to other international, state, and non-state actors.”

The section on deterrence mandates a report to the President “on the nation’s strategic options for deterring adversaries and better protecting the American people from those who would use networked technology to defeat or undermine this policy.” The report is supposed to be done by the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence.” Note the many new agencies in the mix, going well beyond military and national security agencies in the first EO.

The section on Internet freedom and governance calls the Internet is “a resource that underpins American power, innovation, and values.”  It mandates a “report to the President on continued actions to support the multi-stakeholder process to ensure the Internet remains valuable, reliable, and secure for future generations.” Here again, the list of agencies involved includes State, Commerce, and the Attorney General as well as Defense and DHS.

Overall, we see in the new EO continuity rather than any major new initiative or departure from the past. Most of the themes and problems identified have been discussed at length for more than a decade. It remains to be seen how the recommendations of the many mandated reports will play out.

Here is a document with changes between the two drafts displayed:

EXECUTIVE ORDERs-Differences


One comment

  1. mark v

    (i) Agency Heads will be held accountable by the President….

    a) This was already true for every executive agency, but worth repeating.
    b) The Department of State is a federal executive agency, with the Secretary of State as its head.
    c) This passage will be (and always should have been) applied to the Secretary in cases where breaches of information security systems occurred, especially those resulting in stolen classified information by DoS employees.

    As she was not granted a Presidential pardon, Hillary Clinton still needs to be held accountable for her deliberate actions during her tenure as Secretary of State. Time will tell if Trump follows his own executive order on this.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>