17 May 2017

Trump’s latest draft cyber EO focuses on risk management, modernizing legacy IT


by Brad D. Williams

An updated draft of President Donald Trump’s pending cybersecurity executive order was published on Wednesday, providing a glimpse into the administration’s cyber policies and goals for the next four years.

Paul Rosenzweig, the founder of Red Branch Consulting and a senior advisor to The Chertoff Group, posted a copy on the Lawfare Blog.

The draft EO mandates a comprehensive review of cybersecurity across federal networks — both the civilian .gov and the defense .mil domains — as well as the nation’s critical infrastructure.

In a section entitled, “Cybersecurity for the Nation,” the EO outlines policies for “promot[ing] an open, interoperable, reliable and secure internet” and “support[ing] the growth and sustainment of a workforce that is skilled in cybersecurity.”

Like earlier draft EOs on cybersecurity and IT modernization, which were leaked in January, the draft published on Wednesday directly links cybersecurity to federal IT modernization, while emphasizing risk management, critical infrastructure resilience and “cyber capability advantage.”

Cybersecurity for Federal Networks

The EO’s first section focuses on securing federal networks. The administration’s policy is to hold leaders of executive departments and agencies accountable for managing their cybersecurity risk. The administration views federal cybersecurity management as an executive branch responsibility.

The EO outlines a “full range of activities” that comprise cybersecurity risk management, which extends beyond safeguarding existing IT infrastructure and data. The order highlights important risk management tasks, such as patching known vulnerabilities, properly configuring technologies and upgrading technologies once they reach their end of life – often defined as when vendors cease support.

Notably, the order mandates the use of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework at federal civilian agencies.

Within 90 days of the order’s execution, all federal agency heads are to submit a Risk Management Report to the DHS Secretary and the Director of the Office of Management and Budget. The report must document each agency’s risk mitigation and acceptance choices, the considerations that informed those choices, any accepted risk and the action plan for implementing the NIST Framework.

Within 60 days of receiving the Risk Management Reports, the DHS Secretary, OMB Director, Secretary of Commerce and Administrator of General Services must submit to the president a determination on each agency’s Risk Management Report. In addition, they will present a joint plan to protect the executive branch enterprise, bridge budgetary gaps, develop a risk management process, reconcile the plan with United States Code (chapter 35, subchapter II of title 44) and align with the NIST Framework.

This section of the EO ties IT modernization directly to cybersecurity, noting, “The executive branch has for too long accepted antiquated and difficult to-defend IT.”

The order requires a report on modernizing IT to be developed by the DHS Secretary, the Director of OMB and the Administrator of General Services Administration and in consultation with the Secretary of Commerce.

The IT modernization report, which will be due to the president within 60 days of the EO’s signing, will cover the technical feasibility and cost effectiveness of consolidating some or all federal agency network architectures and shared IT services, with an eye to potential impacts on cybersecurity. The modernization report is required to include timelines and milestones.

The EO directs agency heads to “show preference” for purchasing “shared IT services to the extent permitted by law, including email, cloud and cybersecurity services.”

The Defense Secretary and DNI are required to implement the order’s mandates on their networks “to the maximum extent feasible and appropriate.” Within 150 days of the order’s signing, the Defense Secretary and DNI will report on their implementation of the EO’s mandates and “a justification for any deviation.”

Cybersecurity of Critical Infrastructure

The EO requires federal civilian agencies to support cybersecurity risk management performed by owners and operators of critical infrastructure. Specifically, within 90 days of the order’s signing, the DHS Secretary and Secretary of Commerce must report to the president “on the sufficiency … of market transparency of cybersecurity risk management practices by critical infrastructure entities, focusing on publicly traded owners and operators of critical infrastructure.”

The DHS Secretary, Defense Secretary, Attorney General, DNI, FBI Director and sector-specific agencies must “identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure” that is judged to be at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security or national security.”

Separately, the DHS Secretary and Energy Secretary are ordered to assess “the potential scope and duration of a power outage associated with a significant cyber incident.” In addition, the order requires a review of incident response readiness and “gaps or shortcomings in assets or capabilities required for incident response” in the event of a cyberattack on the U.S. power grid.

The Secretary of Commerce and DHS Secretary are ordered to jointly lead an “open and transparent process” to “improve resilience of the internet and communications ecosystem with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).” A preliminary report on their efforts and findings will be made publicly available within 240 days of the order’s signing.

Within 90 days of order’s signing, the Defense Secretary, DHS Secretary, FBI Director and DNI will report on cybersecurity risks to the “defense industrial base, including its supply chain, and United States military platforms, systems, networks and capabilities, and recommendations for mitigating these risks.”

Cybersecurity for the Nation

The final policy section of the EO outlines the administration’s vision for the internet, cyber deterrence and a cyber workforce.

On the internet, the order states that U.S. policy is “to promote an open, interoperable, reliable and secure internet that fosters efficiency, innovation, communication and economic prosperity, while respecting privacy and guarding against disruption, fraud and theft.”

On deterrence, the EO requires eight federal executives to develop a joint report “on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”

In addition, it orders a review of areas for international cooperation on cyber deterrence, including “those concerning investigation, attribution, cyber threat information sharing, response, capacity building and cooperation.” Separately, the Secretary of State is charged with reporting on “an engagement strategy for international cooperation in cybersecurity.”

Finally, on the U.S. cyber workforce, the order advocates for cybersecurity education and skilled cybersecurity workers. To this end, the EO requires a joint assessment of “the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training and apprenticeship programs, from primary through higher education.”

It requires a report on “findings and recommendations regarding how to support the growth and sustainment of the nation’s cybersecurity workforce in both the public and private sectors.”

It orders the defense and federal civilian communities to “assess the scope and sufficiency of U.S. efforts to ensure U.S. national security-related cyber capability advantage.”

No comments: