The long-awaited executive order on cybersecurity is out. It’s not dramatic or surprising (perhaps because drafts have been floating around Washington for weeks), but it has good ideas. It’s level-headed and pragmatic. The main thing to consider with the order is that it is mainly a presidential task order, calling for reports on where we are, and what steps we should take in cybersecurity due in 45, 90, 120, 180, 240, or, in one case, 365 days. In short, check back regularly over the next year to see where this Administration comes out on cybersecurity. As an omen or predicator of this outcome, the order is encouraging.
A quick summary: the order makes agency heads accountable for cyber risk management, using the National Institute of Standards and Technology framework. It calls for reports on a broad range of topics. This includes modernizing federal IT and moving to shared services, finding ways to support critical infrastructure – where a cyber-attack could have a “catastrophic effect” – with special attention to the power grid and its vulnerability to cyber attack, and to develop plans to make cyber practices of publicly traded critical infrastructure companies more transparent. The Secretaries of Commerce and Homeland Security are to come up with a process and a plan to deal with botnets. The Department of Defense will assess the vulnerabilities of military systems and the defense industrial base. There are more taskings for reports on deterrence, international cooperation and workforce development. These are all good things and some are long overdue.
There is not a lot on interagency process included in the order. All the usual agencies are involved in drafting the reports that touch on their existing responsibilities. There are, however, signs of how the White House will organize itself. Reports are prepared by the responsible agencies and go to the Assistant to President for Homeland Security Tom Bossert – he seems to have the lead for cybersecurity. If a report touches on military issues, responsibility is shared with the Assistant to the President for National Security, Lieutenant General H.R. McMaster. There are no changes in agency responsibilities even though some assignments, such as the July 2016 Presidential Policy Directive 41 on Cyber Incident Coordination – which fails to even mention the Department of Defense – badly needs rethinking. In a welcome departure from past practice, there is no mention of the Office of Science and Technology Policy, a major improvement since staff from several previous administrations held that that office has only hampered policy development for cybersecurity.
Modernizing federal information technology acquisitions is the federal equivalent of quicksand, since it requires editing thousands of pages in the Federal Acquisitions Regulations. There’s an opportunity for better security and big savings if federal IT is modernized, but only if the Administration changes how the federal government buys IT – currently a disjointed and duplicative process. The order, however, only talks about what the government should buy – a good start but not enough if we are to avoid the fragmentation that gives attackers big opportunities.
There’s enough ambiguity in the order to avoid any immediate fights, particularity when it comes to critical infrastructure. A report due in six months will identify authorities and capabilities that agencies could use to support critical infrastructure, leaving open whether these authorities will be used. This guarantees that a steady stream of supplicants will visit the White House to make sure that authorities are rarely used, if ever, particularly since the word “voluntary” never appears at all. Authorities are a delicate issue, for good reason, and finding a balanced approach to their use is difficult – not too much but also not too little, since there are some cybersecurity problems that the market will not solve. Privacy gets only two mentions, suggesting it’s not the same fetish object it was in the past, and this too will generate a steady stream of advocacy.
This Administration, like its predecessor, will try to find some way to make deterrence work. This is not an impossible task if they can escape the gravitational pull of Cold War thinking about deterrence, but we won’t know until the report on deterrence is finished 90 days from now – there has been a dearth of new thinking on deterrence for more than a decade. Hint to White House: think about coming up with a full set of “countermeasures” as they are defined under international law rather than trying to deter via threats to use military force.
Deterrence is linked to international cooperation with “allies and other partners,” and this phrase points at two key international problems. First, the 2011 international strategy is badly out of date. The U.S. needs to move to a strategy centered on working with “likeminded nations” – such as the G-7 or NATO – when it comes to norms for responsible state behavior. This requires some agreement on consequences for bad actions and a common standard for attribution so that allies and partners can agree on who should be held responsible. The days of cyber kumbaya are over, and while we will need to continue negotiations with our major opponents on measures for stability and confidence building, we should not expect norms to shape their behavior for years to come. The EO does not mention norms – a blow perhaps to the academic enterprise of creating artisanal norms for cybersecurity – but what we need is not more norms but more efforts to implement the ones we have now.
Second, the reason we need to move to a likeminded strategy is that Russia, along with China, thinks there is an opportunity to push hard against the Western system of rules that govern international relations and get a reset that make the internet easier for them to exploit and less of a threat to their own regimes. This is not in our interest for many reasons. To work, a good strategy for international cyber cooperation and deterrence requires a strong, clearly articulated, and more assertive policy for dealing with Russia and China across the board – cyber is now embedded in the fabric of international relations and cannot be approached as a separate or peripheral issue.
If there is one word we can draw from the order to describe the Administration’s goals for critical infrastructure and cybersecurity, it is “resilience.” This is a good sign. Like the references to risk management, resilience suggests an acceptance that we cannot now prevent cyber attacks, that we cannot keep attackers out, and instead must be prepared to deal with compromise and disruption when they inevitably occur.
This order isn’t a plan for cybersecurity. It’s a plan on how to plan. Taking a step back to assess all the work done on cybersecurity in the last 10 years is a good idea. The order is in some ways akin to admiring the problem, but this can be a good thing if we do not admire the problem for too long. Let’s see where we are in 90 days.
