President Donald J. Trump signed Executive Order 13800 titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” on May 11, 2017, his thirty-fifth executive order since taking office.
Before evaluating President Trump’s cybersecurity executive order, it is worth taking a step back to look at what Candidate Trump said about the subject. During his campaign, then Candidate Trump promised immediate action on cybersecurity, stating in an October 3, 2016, speech:
To truly make America safe, we must make cybersecurity a major priority for both the government and the private sector. Cyber theft is the fastest growing crime in the United States. As President, improving cybersecurity will be an immediate and top priority for my Administration. One of the very first things I will do is to order a thorough review of our cyber defenses and weaknesses, including all vital infrastructure. Cyber-attacks from foreign governments, especially China, Russia, and North Korea along with non-state terrorist actors and organized criminal groups, constitute one of our most critical national security concerns … The scope of our cybersecurity problem is enormous. Our government, our businesses, our trade secrets, and our citizens’ most sensitive information are all facing constant cyber attacks.
Candidate Trump also included a cybersecurity position statement on his campaign website, one of sixteen position statements published by his campaign, which detailed his plan to address the cybersecurity issues facing the Nation:
Background – Directives and Orders
Before diving into the cybersecurity executive order, we need to briefly discuss two presidential actions, one a policy directive that preceded the Trump administration, and the other an executive order issued during the first 100 days of the Trump administration.
Issued on February 12, 2013, Presidential Policy Directive 21 about Critical Infrastructure Security and Resilience was meant to unify and strengthen the effort to maintain secure, functioning and resilient critical infrastructure. It designates critical infrastructure sections and sector specific agencies (e.g., Financial Services with the Department of the Treasury, Information Technology with the Department of Homeland Security).
Issued on May 1, 2017, President Trump’s Executive Order 13794 (“Establishment of the American Technology Council”) is intended to:
… promote the secure, efficient, and economical use of information technology to achieve its missions. Americans deserve better digital services from their Government. To effectuate this policy, the Federal Government must transform and modernize its information technology and how it uses and delivers digital services.
The membership of the American Technology Council includes the President, the Vice President, several cabinet members and heads of administrative agencies (e.g., Secretary of Defense, Secretary of Homeland Security), the U.S. Chief Technology Officer, the Administrator of the U.S. Digital Service, and the Director of the American Technology Council, in total nineteen members. Executive Order 13794 also details the functions of the American Technology Council:
(i) coordinate the vision, strategy, and direction for the Federal Government’s use of information technology and the delivery of services through information technology;
(ii) coordinate advice to the President related to policy decisions and processes regarding the Federal Government’s use of information technology and the delivery of services through information technology; and
(iii) work to ensure that these decisions and processes are consistent with the policy set forth in section 1 of this order and that the policy is being effectively implemented.
It is not entirely clear if the Cyber Review Team proposed by Candidate Trump has the same scope of responsibilities as American Technology Council, but it seems that the American Technology Council encompass much of the Cyber Review Team’s functions as described by Candidate Trump. Being aware of the American Technology Council is important because it is named as having several responsibilities/deliverables in Executive Order 13800.
With this background in mind let’s examine President Trump’s Executive Order 13800. President Trump’s cybersecurity order is divided into three sections: Section 1 – Cybersecurity of Federal Networks; Section 2 – Cybersecurity of Critical Infrastructure; and Section 3 – Cybersecurity for the Nation.
Section 1 – Cybersecurity of Federal Networks
This section requires:
NIST Cybersecurity Framework Usage by Government Agencies
Section 1. (c) Risk Management, requires, using “shall” language, requires government agencies to use the NIST Cybersecurity Framework developed by the National Institute of Standards and Technology, to manage the agency’s cybersecurity risk. (More information on this point below.)
Agency Risk Management Reports
Each agency head to provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB). (Required within 90 days of the cybersecurity executive order, before Wednesday, August 9, 2017.)
Planning based on Agency Risk Management Reports
Within 60 days of the receipt of the agency risk management reports and before Tuesday, August 22, 2017, the Director of OMB with the Secretary of Homeland Security shall submit to the President a determination and plan to address: insufficiencies; unmet budgetary needs; establish a process for reassessing unmet budgetary needs necessary to manage risk; reconcile and reissue policies, standards, and guidelines in furtherance of the cybersecurity executive order; and to align these policies, standards, and guidelines with the NIST Cybersecurity Framework.
Modernization of Federal Information Technology Report
Also required within 90 days of the cybersecurity executive order, before Wednesday, August 9, 2017, is a report regarding modernization of Federal Information Technology by the Director of the American Technology Council (see Executive Order 13794 discussed above). The report shall examine the technical feasibility and cost of transitioning all agencies to a consolidated network architecture, and shared information technology services, including e-mail, cloud, and cybersecurity services.
The policy section includes language that the President will hold heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprise—but does not describe a penalty for an administrative agency head failing to adequately manage risk. Section 1. (b) Findings, describes what effective risk management encompasses, “protecting IT and data currently in place”; “planning, so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity”; and “lead[ing] integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.”
While there are many aspects of this Section worth monitoring, the Modernization report is of special interest for many businesses. For example, if the goal is consolidation, what database systems will be chosen, will a public or private cloud provider be preferred, what operating systems will be chosen (e.g., Windows, Linux, Apple, Unix), what e-mail client and servers will be chosen, what databases will be used (e.g., Oracle, Open Source), what security tools will be chosen?
It’s also worth noting that requiring federal agencies to use the NIST Cybersecurity Framework, a risk management approach that up until now had been used voluntarily by organizations, is a critical aspect of the cybersecurity executive order. To provide federal agencies with guidance on how the NIST Cybersecurity Framework can help agencies to complement existing risk management practices and improve their cybersecurity risk management programs, NIST recently released The Cybersecurity Framework: Implementation Guidance for Federal Agencies (which will be the subject of a future blog post).
Section 2 – Cybersecurity of Critical Infrastructure
This policy section includes language for the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure (as defined in section 5195c(e) of title 42, United States Code) (critical infrastructure entities). Among other things, it requires heads of appropriate sector-specific agencies, as defined in Presidential Policy Directive 21 to identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities identified to be at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security (section 9 entities). It also requires within 180 days of the cybersecurity order, before November 7, 2017, a classified report detailing the findings and recommendations for better supporting the cybersecurity risk management efforts of section 9 entities.
About those botnets…
Of special note, Section 2 takes measures to address growing problems related to botnets, which are networks of computers infected by malware that are secretly controlled by cybercriminals without the user’s knowledge for criminal purposes (e.g., delivering a Distributed Denial of Service attack).
More specifically, this section requires that the Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets), and that within 240 days of the order, before January 6, 2018, the Secretary of Commerce and the Secretary of Homeland Security shall make publicly available a preliminary report on this effort. The cybersecurity executive order also requires that within one year of the date of the order, the Secretaries shall submit a final version of this report to the President.
Section 3 – Cybersecurity for the Nation
Section 3 states that it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication and economic prosperity, while respecting privacy and guarding against disruption, fraud and theft.
This section requires a report to the President about deterrence and protection from cyber threats, that within 90 days of the date of the cybersecurity order, before August 9, 2017, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence, shall jointly submit a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.
This section also has an emphasis on workforce development: it requires a report to the President by the Assistant to the President for Homeland Security and Counterterrorism within 120 days of the date of the cybersecurity order, before September 8, 2017, with findings and recommendations regarding how to support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.
With President Trump’s executive order on cybersecurity, and with his statements and positions taken during the campaign, it is clear that cybersecurity will be a key area of focus during his administration. Executive Order 13800, with its requirement for federal agencies to use the NIST Cybersecurity Framework, raises questions about the use of the framework by government contractors, and other government agencies: will various agencies now require use of the NIST Cybersecurity Framework by the vendors which they rely upon? And how will agencies resolve conflicts between the framework and other regulations/requirements? It also raises questions about the push to consolidate information technology infrastructure, and what solutions will ultimately be chosen.