The Cybersecurity Executive Order: A Right Start

May 13, 2017

President Trump issued two days ago a much anticipated executive order that reflects mature thinking about managing the sprawling kluge of federal networks, a determination to do it, and an over-estimation of the government’s ability to comply with demands for 16 Cabinet-level reports in short order. Whether the order is rigorously implemented remains to be seen, but it’s a right start.

The order’s provisions on critical infrastructure are hesitant by comparison, but far more robust than the terms of the leaked drafts floating around since January. That’s a welcome change. The order follows by six weeks the publication of a Report by MIT’s Internet Policy Research Institute called “Keeping America Safe: Toward More Secure Networks for Critical Infrastructure.” (I was the principal author of that report.) The comparisons are interesting.

Federal Networks 

The order’s strong points are simple, yet they had never been articulated at the highest level of government, let alone implemented. First, excepting national security systems, cybersecurity risk will now be managed as a joint executive branch enterprise, rather than as a series of inconsistent departmental enterprises. Doing this will trench on departmental prerogatives and will therefore require strong presidential leadership. Watch for blood on the floor. If you don’t see any, it isn’t happening. If it does happen, better security and substantial efficiencies in procurement and management should result.

Second, the order directs the newly created American Technology Council to report within 90 days on the technical feasibility and cost effectiveness of transitioning all federal agencies, or a subset of them, to one or more consolidated network architectures and shared IT services. The danger here is the risk of moving from multiple points of failure to a single point of failure. The drafters seem aware of this danger, however. Hence the reference to subsets of agencies and “one or more” architectures.

Third, the order requires agencies to abandon competing standards for evaluating cybersecurity risk. All agencies must now use “The Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology. The MIT Report observed (as have others) that competing compliance standards create confusion and suggested that the NIST Framework be adopted across the government. This will now be done. We also suggested that the Framework be imposed on federal contractors. That has not been done.

Fourth, the order requires the Office of Management and Budget to join the Secretary of Homeland Security in assessing the progress of the order’s implementation. This is critical. OMB is the hammer in the Executive Branch. It controls the money. It not only giveth; it taketh away. The MIT Report’s first recommendation was to involve OMB in precisely this way. If this provision is robustly implemented, it will bring results.

How should we judge the success this part of the order? The only metric that ultimately matters is the reduction in the number of federal cyber incidents that result either in the loss of significant information (by volume or sensitivity) or in the implantation of malware that cannot be readily identified and remediated.

Five proxy metrics should also be officially tracked and made public:

  1. An increase in the dollar volume of joint department procurement of equipment and services relating to the order;
  2. The number of agencies that move to (a) one or more consolidated network architectures, and (b) to shared IT services – without creating a single point of failure;
  3. The dollar volume of funds that are re-programed within and between agencies in response to the ongoing evaluations called for in the order;
  4. The dollar volume of Congressionally authorized expenditures fenced in response to these evaluations; and
  5. Whether cabinet officials are fired if their departments suffer from avoidable network failures.

Critical Infrastructure

 The section of the order dealing with critical infrastructure is less precise, less sure-footed, and less satisfying. I believe it represents an awareness that earlier drafts paid insufficient attention to the topic, but no conviction about what to do about it. Fair enough. About 85 percent of this infrastructure is privately owned, and while national security depends on it, the President can’t simply order its owners to do what he wants.

The order therefore commands five reports to the President. The first is to identify all federal legal authorities that can be used to support the infrastructure at greatest risk. It is difficult to believe that authoritative memoranda on this topic do not already exist in the departments of justice and homeland security.

The second report will examine “the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities ….” Obscurity this dense in an otherwise clear order must be intentional. I translate it thus: “We are going to figure out better ways to publicly embarrass big companies whose cybersecurity really stinks.” If that’s what it means, I’m for it.

The third report will evaluate ways to improve resilience against botnets and other automated attacks. This is a good idea, but I fear the drafters believe that the fundamental insecurity of Internet communications is technological. Technological challenges do exist. Automated attacks require automated defenses. But as the MIT Report makes clear, the most difficult obstacles in the way of higher cybersecurity are not technological. They are legal, economic, and managerial. (Short explanation here.) If the required report to the President fails to address these non-technological challenges, it will be useless.

The fourth report will be an assessment of the nation’s readiness to prevent, manage, and recover from a disruption of our regional electric grids. I applaud this focus. But the order has missed a trick. We simply don’t have sufficient data on which to base much more sophisticated, cross-sector simulations than we can now do. Why? Because the companies that own the vulnerability data won’t share it. At the same time, the companies that have vulnerability data don’t have a handle on the latest threats. The Internet Policy Research Initiative at MIT is about to tackle this problem. We aim to discover whether data owners would be willing to put anonymized and encrypted data into a secure facility at MIT, then participate in realistic simulations of cyber-initiated disasters – and share the results.

The fifth report will concern the challenges faced by the defense industrial base, including supply chain risk.

These studies will be useful for the security of critical infrastructure – but only if they deal with three fundamental issues identified in the MIT Report but ignored in the executive order:

  1. Isolation. The President must be told that critical infrastructure systems cannot be made reasonably secure unless key controls are isolated from public networks. Believing otherwise is delusional.
  1. A Market for Safe Controls. One of the worst supply chain threats to infrastructure doesn’t come from malicious manipulation of equipment. It comes from insecure, multipurpose electronic controls that are not suitable for specialized, sensitive uses. The government must explore the cost and feasibility of supporting a market for simpler, secure variants of commercial controls for critical infrastructure.
  1. Market and Tax Incentives. The incentives for producing more secure hardware and software, and for retiring legacy systems, are misaligned, and the order should have said so. Tax incentives should encourage firms to retire legacy components, for example. Negative incentives are also important. Apart from the manufacture of hardware and software, in what area of economic life is it possible to put unsafe or unsuitable products into the stream of commerce without liability? I can’t think of any. This must change.

If the cabinet-level reports required by the order do not address each of these issues, then critical infrastructure vulnerabilities will continue to get worse, and the Trump Administration will simply join its predecessors in producing feckless, hand-wringing rhetoric on the subject. Stay tuned.

Afterthoughts

 It seemed we’d been waiting a long time for this order, but only because several half-baked drafts were leaked at the start of Trump’s term. In fact, this order comes less than four months into his term. That’s quick. The frustrating thing about it is not that we waited four months for Trump’s team to issue the order. Rather, it’s that we waited about 12 years for Presidents Bush and Obama to issue an order like this, and they never did.

I like to think this order is evidence of the wisdom of appointing Rob Joyce as the new cyber advisor on the national security staff, but it’s too soon to tell. The media continue to refer to Joyce as the cyber “czar.” The best reason to avoid calling any American official a “czar” comes from former CIA Director Jim Wolsey, who used to say that five hundred years of reactionary stupidity followed by seventy-two years of Bolshevism is not a governance model we want to emulate. Czars were absolute rulers. Joyce is a mere “coordinator” – which means he has no power at all. Which brings me back to the first recommendation in the MIT Report: Joyce should be elevated to the position of deputy national security advisor. Rank counts. It will determine who returns his phone calls and how quickly and whether he’s even invited to meetings with senior officials whose actions he’s trying to influence. I wish him much luck.