Our bottom line up front, assuming the text of this draft does not change, is that while the intent of the executive order represents a reasonable start to getting a handle on the cybersecurity challenges that await this administration, this appears to be another case where an executive order has not been coordinated with federal departments and agencies. Compared to other recent orders, this one is fairly tame—for example, we see no attempt to scale back U.S. compliance with international law. But that is a very low bar, albeit one that has been difficult for the new Administration to meet at times. Here, our concern is that the document’s authors are either unaware or dismissive of the substantial equities and capabilities of a broad swath of the government.
The biggest surprise is the absence of any mention of the FBI. We are not sure how to explain this, as the FBI and law enforcement secured an important role in cybersecurity early in the Obama Administration. Perhaps this is an omission that will be corrected in a later draft. However, if the FBI remains absent from this EO, they will be the agency with the most to lose out of this process. FBI zealously guards its role in investigating malicious cyber activities, and had been given a leading role in Obama-era policies, most recently in Presidential Policy Directive 41. Depriving them of a role in these reviews will be a significant reversal from past years.
At its core, this order loosely follows a traditional formula to estimate risk: assess the threat from adversaries, your vulnerability to that threat, and the consequences if the vulnerability is exploited. In essence, the Administration wants to get a better idea of our nation’s vulnerabilities and the threats it faces and to determine what tools we might have at our disposal to protect critical infrastructure from those adversaries. Here is our rundown of the draft, which we caution may very well change before it is finalized, along with some concluding thoughts on what the order leaves out.
Policy and Findings—These first two sections of this draft EO could just as easily appear in any of the key Obama-era cyber strategy documents. The policy and findings sections reaffirm several of the touchstones we have come to expect from the federal government: the need to preserve the Internet as engine of prosperity and innovation without jeopardizing our privacy or allowing criminals free reign; the dynamic nature of the domain and the increasingly interdependent nature of information technologies and critical infrastructure; and the vulnerabilities found in both private and public sector networks. We are not even sure if the final finding, that U.S. departments and agencies are not properly organized to deal with these issues, would be particularly controversial in the prior Administration. Information security and cyber issues pose a formidable challenge for federal government agencies whose authorities often predate computing and networking by decades.
Policy coordination—This section indicates that the management of cyber issues will be consistent with the newly-signed National Security Presidential Memorandum (NSPM) 2, which establishes the National Security Council organization and coordination. Key here is that the Assistant to the President for Homeland Security and Counterterrorism, Tom Bossert, will have the authority to convene the principals committee (consisting of cabinet secretaries). Bossert will reportedly retain the cybersecurity portfolio, the same as President Obama’s Homeland Security advisor, Lisa Monaco—a noteworthy point of continuity. Bossert, however, is entering the job with more cybersecurity experience than Monaco, and has already indicated that cybersecurity will be a particular area of focus. This, and the elevated stature of the Homeland Security Advisor as on par with the National Security Advisor, likely will mean an elevated level of attention on these issues for this administration.
Review of Cyber Vulnerabilities—The first substantive section of this executive order is about vulnerabilities. We think it wise to begin the analysis not with a study of capabilities and offense, but with an awareness of how we as a country are vulnerable. As one of our colleagues, Ben Buchanan, likes to say: in the United States, we may have some very nice cyber rocks, but we live in a very glassy house. [Note: We interpret this section’s focus on vulnerabilities to be far broader than the occasionally-discussed Vulnerabilities Equities Process, which provides for interagency coordination about disclosing software and hardware vulnerabilities. Instead, the word “vulnerabilities” as used in this draft EO is meant to address systemic risk in critical infrastructure.]
The executive order calls for a comprehensive review within 60 days of “the most critical U.S. cyber vulnerabilities.” Then, the Secretary of Defense is charged with submitting recommendations to the President on how best to address vulnerabilities in “national security systems,” or those federal-government systems involving intelligence and military activities. (A more precise definition of national-security systems is included in the executive order.) This is as we would expect: it seems reasonable to assume that the Secretary of Defense can exercise authority, direction, or control over most of these systems in some way or another, although we anticipate that various components of the intelligence community will provide essential input.
For those who feared that the Department of Homeland Security (DHS) would be cut out of cybersecurity under the Trump Administration, fear not. The Secretary of Homeland Security is charged with coordinating and submitting recommendations for the “enhanced protection of the most critical” non-national security systems: “civilian federal government, public, and private sector infrastructure.” Generally, “civilian federal government” systems are considered to be part of the .gov and other unclassified networks owned and operated by the federal government. Public sector infrastructure, the way we read it, would cover public infrastructure like the Tennessee Valley Authority. Private sector infrastructure is a well-known category in the community, including those systems owned and operated by private companies that interact with important infrastructure like the electric grid. Of course, there will be some wiggle room when it comes to distinguishing the “most critical” systems from those thought to be less critical.
What is surprising here is that this central role for DHS is at odds with some rumors over the last few weeks that the Department of Defense (DoD) would be playing a much larger role in national cybersecurity policy. To the contrary, by tapping DHS to submit recommendations to better protect these networks, the Trump Administration is continuing the Obama Administration’s approach to DHS’s role—that it should be the lead civilian agency for cybersecurity. Although it remains to be seen how DHS will fare in terms of any subsequent realignment of roles and missions, for now its role remains as before.
In addition to submitting recommendations to address vulnerabilities (and better protect relevant systems), the Secretaries of Defense and of Homeland Security are directed to “include steps to ensure that the responsible agencies are appropriately organized, tasked, and resourced, and provided with adequate legal authority necessary to fulfill their missions.” Again, this is a reasonable solicitation to make of each department. We think both departments are likely to ask for expanded authorization to act with less interagency review or interference. Yet this request may be in tension with the aforementioned NSPM-2’s view of interagency policy review. Both departments are likely to also ask for more resources to fulfill their missions. This too may come into conflict with broader administration priorities, like the recently announced federal hiring freeze and tighter controls on spending.
The EO then lists the co-chairs of this vulnerabilities review. It is not surprising to see the Secretary of Defense or the Director of National Intelligence as co-chairs. Including the Secretary of Homeland Security is a good sign for those worried about DoD gaining more power at DHS’s expense in this space. This is a noteworthy point of continuity.
One other factor bears mentioning. Any Chief Information Security Officer worth his or her salt knows that before diving into vulnerabilities, it is important to get a firm grasp on what assets are most worth protecting. Just because a network is most vulnerable does not mean that it is most worth spending your next dollar to protect. On this score, we hope the new administration will take advantage of the work undertaken by the prior administration to determine the most important critical infrastructure networks (including work that flowed from executive order 13636) and civilian government networks (particularly the “high value asset” identification efforts tasked by the Cyber National Action Plan in 2016).
Review of Cyber Adversaries—The order then tasks the Director of National Intelligence (DNI) to deliver to the President what is, in essence, a National Intelligence Estimate of the identities, capabilities, intentions, and vulnerabilities of our top adversaries in cyberspace. This is the kind of product that the Intelligence Community likely would prepare for a new administration in any case. Given the present tension over and politicization of the activities of one of the primary threats to U.S. networks—Russia—it is interesting that the review will not be strictly conducted by the Intelligence Community, as it is co-chaired by Flynn, Bossert, and the Secretaries of Homeland Security and Defense in addition to the DNI. This means the assessment delivered to the President will include more voices than that of the intelligence professionals over what is essentially an intelligence product.
U.S. Cyber Capabilities Review—This section of the EO directs the assessment of current U.S. cyber capabilities, which will occur only after the reviews of cyber adversaries and vulnerabilities are completed, in order to identify areas where capabilities should be improved to protect U.S. critical infrastructure networks. It is unclear, from our vantage point, what exactly is meant by “capabilities,” but we take it to primarily refer to technical capabilities to defend against attacks or launch attacks of our own. We hope this section of the EO undergoes additional interagency deliberation before the order is signed by the President.
In its present form, the review concerns only the capabilities of the Department of Homeland Security, the Department of Defense, and the National Security Agency (itself a part of the Department of Defense). This leaves out significant players with important cyber capabilities, including the Federal Bureau of Investigation and the Central Intelligence Agency, (the latter has even been going public recently with its efforts to scale up its cyber capabilities). We also hope this review considers the role that non-state entities play in terms of providing capabilities to the government. Here, we have in mind reports that the FBI purchased a capability from a third party to gain access to an otherwise locked iPhone last year.
Furthermore, an effort focusing solely on cyber capabilities risks leaving out important tools outside of the cyber domain that could be used to deter or respond to malicious cyber activities. Some of the most effective tools in the U.S. government’s arsenal include things like indictments and sanctions. Ideally this executive order would kick off a more holistic review of tools available to protect networks AND deter and respond to adversaries, and identify areas where these other non-cyber tools can be improved and better integrated in cyber policy.
Finally, this capabilities review also leaves out sector-specific agencies that are responsible for regulating various critical infrastructure sectors. While DHS is broadly responsible for working with the private sector to improve national cybersecurity, sector-specific agencies such as Treasury (for the financial sector) and Energy (for the energy sector) have important regulatory levers to improve the security of key networks. While giving DHS a key role here makes sense, sector-specific agencies will need to be involved.
The capabilities review portion of the EO also contains a subsection focused on workforce development, specifically a requirement for DHS and DoD to review Department of Education data on cybersecurity, mathematics, and computer science education. This is a wise addition, as the gap in the number of skilled information security personnel versus the number that industry and government require continues to grow. However, the language of the EO tasks the Secretary of Defense, alone, with making recommendations on how to “best position the U.S. educational system to maintain its competitive advantage into the future,” which seems an odd choice: though DoD employs at least half of all information security personnel across government, this topic would benefit from the input of a broader group of stakeholders to ensure recommendations would make a broad impact across both the private sector and government.
Private Sector Infrastructure Incentives Report—This section tasks the Secretary of Commerce, along with the Secretaries of the Treasury and Homeland Security and the Assistant to the President for Economic Affairs, to submit a report on providing incentives to the private sector to adopt effective cybersecurity practices. The order tasks Commerce and the co-chairs to review existing efforts and reports and make recommendations on inducing critical infrastructure owners and operators to adopt better cybersecurity; improving information sharing; and investing in enterprise risk management tools and measures. This is a prudent step at a time when discussion of cybersecurity insurance and other incentives are all the rage. However, we cannot help but wonder about the “carrots-only” approach to cybersecurity in the private sector, with no mention of potential sticks, if only as an opening bargaining position. That said, this is consistent with Tom Bossert’s scant public comments since his appointment, which stressed a cyber doctrine “that reflects the wisdom of free markets, private competition and the important but limited role of government.”
What’s Missing?—Though we can’t fault the administration for choosing certain areas to prioritize in its first few months, there are a few additional areas the administration will need to turn its attention to if it wants a truly comprehensive review of cybersecurity issues:
-This draft of the EO neglects to mention anything about international cooperation in cyberspace and the State Department’s multi-year effort to build consensus around norms of behavior. Once the Administration completes the three reviews outlines in this executive order, we hope they will consider how the results of those reviews reflect and inform the ongoing norms agenda.
-We already noted the conspicuous absence of the FBI; likewise, consideration of broader criminal and legal issues is missing from the order. U.S. statutes covering computer crime and surveillance, including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and others, are in need of modernization to create a healthier environment for lawful computer security research and to ensure law enforcers have the right tools at their disposal to combat crime. At some point, the Trump administration will need to address law enforcement’s access to data. One facet of this issue surfaced last year in the discussion around backdoors into encryption. While we think this is a serious issue that merits serious consideration, it probably falls outside of the scope of a draft EO designed to kick off rapid reviews designed to educate the new team about the country’s vulnerabilities, external threats, and capabilities.