President Trump is slated to issue two Executive Orders this week which may relate to the ability of the nation to defend itself (and its critical infrastructure) from potential cyberattacks. The first is the President’s Executive order on cybersecurity. The second is the Executive Order on Regulatio. It may be that these orders work contrary to each other in practice. We will have to wait and see.
The Cybersecurity EO begins with the observation that “[t]he executive departments and agencies tasked with protecting civilian government networks and critical infrastructure are not currently organized to act collaboratively, tasked, or resourced, or provided with legal authority adequate to succeed in their missions.” In other words, reorganize.
There’s an old joke about a new CISO hired to clean up the mess at her new company. The outgoing CISO meets with the replacement, and hands her 3 envelopes. “Open these if you run up against a problem you don’t think you can solve,” the first CISO says. Things go along pretty smoothly for the first six months, but then a problem occurred and the new CISO begins catching a lot of heat. After trying everything else, she went to her drawer and takes out the first envelope. The message reads, “Blame everything on your predecessor.” The CISO does, and the problem is solved.
About a year later, another major problem occurs, and the CISO immediately opens the second envelope. The message reads, “Reorganize.” This she does, and the company quickly rebounds. Finally, the company suffers a major data breach. The CISO goes into her office, closes the door and opens the third envelope. The message says, “Prepare three envelopes.”
Every new administration sees reorganization as a panacea for efficiency and progress. While clearer lines of reporting and authority can help, frequently reorganization (particularly for its own sake) leads to bureaucratic infighting and contention.
In reorganization, the administration gets to say how it perceives the problem and solutions. Is cyber (an absurd prefix in search of a word) primarily a criminal matter? An intelligence matter? A homeland security – prevention matter? A military matter? How do our goals of preventing attacks, investigating attacks and even perpetrating attacks mesh? Who needs to be defended and by whom? Should the US government spend money protecting foreign corporate interests if those foreign corporations reflect some part of the U.S. critical infrastructure? How do we balance security and surveillance? Not easy issues. A 30 day review probably won’t answer those.
The observation that agencies lack legal authority to accomplish their cybersecurity mission seems to suggest that there will be new legal authority granted to federal agencies to give them greater powers to combat cybersecurity – particularly in the civilian based critical infrastructure. The directive calls for an immediate review of the nation’s cyber vulnerabilities, with a report of recommendations within 2 months.
Of course, we don’t know WHY the networks are not organized to succeed, and what organization will make them succeed. We don’t know what legal authority is currently lacking. We just know that the President believes that we need new legal authority to some agency or department or private sector entity.
Those responsible for the review and recommendations will be “The Secretary of Defense, the Secretary of Homeland Security, the Director of National Intelligence, the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism.”
The chair of the review will rest within the Defense Department. Notably absent are the Attorney General and the Director of the FBI – the agencies that would be responsible for criminal investigations of cyber attacks and hacks, including the hack of the DNC. This is particularly jarring in light of the role the previous administration gave to the FBI as “coordinator” as part of the Cyber Response Group (CRG) reporting to the NSC and the Cyber Unified Coordination Group (UCG) which is the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts. The previous directive expressly noted that the FBI would be the lead agency in the UCG stating:
In view of the fact that significant cyber incidents will often involve at least the possibility of a nation-state actor or have some other national security nexus, the Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, shall be the Federal lead agency for threat response activities.
The previous administration then gave DHS and ODNI supporting responsibilities. It’s not clear whether the new Executive Order, which does not even mention the FBI, is intended to reverse this position, particularly as it pertains to “cyber incidents” and threat response. The EO is silent on this.
The idea of a vulnerabilities review is not new. Any CISO taking office wants to know what the current status of security in the enterprise is. But there are many ways of measuring vulnerabilities. Is it based on the number of end points? The age of the infrastructure? The scope of the monitoring? The robust nature of the security program? The effectiveness of training and awareness? The comprehensiveness of the patch management program? The number of incidents? The reduction or increase in incidents?
Really what is needed is a review of the role of IT in the missions of the various departments and agencies, and the role of IT security (confidentiality, integrity and availability) toward the completion of the mission. To understand risk/benefit, we must first understand benefit.
What’s the mission of the agency, how does (and will) the technology advance the mission, and what are the risks of using the technology that way. Not all data is the same. Not all networks are the same. A vulnerability is only a small component of a risk. And not necessarily the most important one.
The EO also calls for an “adversary review” to examine the nature and capabilities of our adversaries with respect to cyber attack, as well as a review of the nation’s capabilities to deal with these threats. The EO calls for the creation of a report to “incentivize the private sector” adoption of effective cyber security measures.
Certainly, we have been collecting information about potential cyber adversaries for decades. But what is really needed is an examination not only of WHO the adversaries are, WHAT they want to do, HOW they intend to do it, and WHETHER they have the capabilities to do it, but more significantly, what the potential IMPACT would be if they did what they plan, and HOW we can cost effectively respond to it.
While failure is not an option, doing nothing actually is. We don’t want to respond to every adversary and every threat and play an endless game of “whack-a-mole.” What we want is to have a comprehensive plan for assessing risk and impact, and responding appropriately. The EO also does not discuss the sharing by federal agencies (including intelligence agencies) of information about threats with the private sector.
Swap Meet
At the same time the President is calling for a review of the nation’s cyber vulnerabilities and responses, he has also called for a moratorium on new regulations. Well, not quite a moratorium – sort of a regulations swap meet. If you want to propose a new regulation, you have to find two others – with the same financial impact – to remove.
So, if you want to impose new cybersecurity regulations on the energy grid, you have to remove regulations on nuclear power plant safety and coal emission standards? If you want mandatory incident reporting for data breaches in the chemical industry, you have to remove labeling requirements for corrosive chemicals and transportation safety requirements. Two for one.
Now the regulations swap meet only applies to federal agencies, so independent agencies like the SEC and FTC are not technically bound. This may mean that these agencies will see their authority enhanced, as they will remain free to promulgate regulations which may (or may not) be necessary to achieve the objectives laid out on the cybersecurity report.
The philosophical aversion toward new regulation – particularly those which have a financial impact on the entity regulated, will necessarily impact the “incentives review” as part of the cybersecurity Executive Order. One of the main drivers for information security has historically been regulatory compliance and data breach reporting prevention (notice I said prevention of REPORTING rather than prevention of breaches).
Often, when a company is seeking to implement or revisit a security procedure or technology, they will ask, “what is my current regulatory environment?” What am I required to do? How does this solution help? Vendors and consultants pitch products and services to regulatory issues – “makes you 20 percent more HIPAA compliant!!” or “ensures SOX compliance,” or “meets PCI standards,” or whatever other meaningless promise they can make.
The language of the cybersecurity Executive Order seems to suggest that the incentives will be all carrot – no stick, and the regulatory burden order means even fewer sticks. This may be good, it may be bad. It will certainly be different. Now excuse me while I prepare three envelopes.