The saga of the cyber security executive order continues; a new draft surfaced just last week. The first draft leaked in January, shortly before the President was expected to sign a cyber-security order. He abruptly postponed. Another draft leaked in February, but the President didn’t sign that one either. Perhaps this latest draft is the final one. “Rumors had it,” Paul Rosenzweig writes, “that the Cybersecurity EO was contingent on resolving how to deal with IT technology development and innovation.”
This latest draft EO addresses three cyber security topics: federal networks, critical infrastructure, and national cybersecurity.
For federal networks, the order’s themes are improvement and integration. “[F]or too long,” the order laments, “[t]he executive branch has . . . accepted antiquated and difficult-to-defend IT.” Thus, the order requests “risk management reports” from federal agencies that show the thinking behind their “mitigation and acceptance choices” and describe their plans to implement the Framework for Improving Critical Infrastructure Cyber Security, which the order requires agencies to use to manage risks. The risk reports will go to DHS and OMB for evaluation. DHS and OMB will in turn report to the President. Agencies must also “show preference in their procurement for shared IT services,” including “email, cloud, and cybersecurity services.” The order commissions a report on the “technical feasibility and cost effectiveness . . . of transitioning all agencies . . . to one or more consolidated network architectures” and to these “shared IT services.”
The critical infrastructure section covers the widest variety of topics. Generally, it requires certain federal agencies to identify “authorities and capabilities” that they can “employ to support the cybersecurity efforts of critical infrastructure entities” identified under President Obama’s Executive Order 13636. But it also addresses specific issues, such as botnets and “Other Automated Distributed Threats.”[1] And it calls for an assessment of the nation’s “Electricity Disrupting Incident Response Capabilities”—that is, what would a cyber-attack against the country’s electrical grids look like, and can we respond effectively to such an incident? Finally, there is a section on the Department of Defense’s Warfighting Capabilities and Industrial Base. Its focus is on assessing cyber security risks to military supply chains, systems, and networks.
Finally, the order addresses cyber security as it relates to national security. Deterrence and protection against cyber attacks are the two aims of this third section. To achieve them, the order seeks to promote international cooperation, including collaboration with other countries in “investigation, attribution, and cyber threat information sharing.” And it calls for an assessment of the nation’s efforts to educate and train its “cyber security workforce of the future.” National security agencies in conjunction with the Secretary of Education must determine “the scope and sufficiency of efforts to educate and train” students in cyber security issues, “from primary through higher education.”
This third draft mixes elements from the prior drafts. For example, the assessment of cyber-security-related efforts in education was a component of the first draft, but not the second. And improving cyber security in federal agencies through the use of the Framework for Improving Critical Infrastructure Cyber Security was a focus of the second draft, but not the first. There are also some innovations. For example, this latest draft appears to be the first one to meaningfully address international cooperation.
Whether this draft is in fact the final one remains to be seen. There are reports that “the Trump Administration is still building its IT and IT security team that would need to help implement the” order. The President might wait for that process to finish before signing. As always, we’ll be on the lookout for any developments.
[1] The Secretaries of Commerce and of Homeland Security must promote “action . . . to improve the resilience of the Internet and communications ecosystem” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks.”
