Sun09242017

LAST_UPDATESun, 24 Sep 2017 2pm

Something About Trump Cybersecurity Executive Order Seems Awfully Familiar

President Trump’s executive order on cybersecurity is built on the orders and policies of his predecessor, and is almost entirely apolitical.President Trump’s executive order on cybersecurity is built on the orders and policies of his predecessor, and is almost entirely apolitical.

Last week, amidst the whirlwind surrounding the firing of FBI Director James Comey, President Donald Trump signed his long-promised executive order on federal government cybersecurity. While many of the other orders issued by Trump have been politically fraught, this one is not; it's possibly the least controversial document to be adorned with the president's signature since his inauguration.

In fact, aside from some of the more Trumpian language in the order, this Executive Order could have easily been issued by the Obama administration. That's because it largely is based on policies and procedures that were spearheaded by President Obama's staff.

"My initial reaction to the order is, 'this is great,'" former National Security Council Director for Cybersecurity Policy Ben Flatgard told Ars. "Trump just endorsed Barack Obama's cybersecurity policy." Flatgard was one of the principal authors of the Obama administration's Cyber National Action Plan (CNAP), published in February of 2016.

The new Trump order, officially entitled "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," builds largely on existing policies and initiatives, and it pushes forward many of the key points of the CNAP. The order also draws directly on the Obama administration's policies on protecting critical infrastructure, as well as standards for risk management set in the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity, also known as the NIST Cybersecurity Framework.

Flatgard said that the order "is directionally sound in many regards. It gives you incremental improvements and progress and some consolidation of stuff we've already put in place." However, he added, "for a new administration, this doesn't represent big, ambitious plans to really leap forward in terms of how we address cyber threats."

Philip Reitinger, president and CEO of the Global Cyber Alliance, agreed that the Trump order was at most an incremental step. "I don't know that I see anything extremely new," he told Ars. Still, Reitinger said that this executive order is still important—in that it puts the force of a presidential signature behind those policies and initiatives, and it "doubles down" on some past approaches. Trump's order also adds a level of detail that "shows the degree to which the language of cybersecurity has percolated to the upper levels of government," Reitinger explained.

Ars requested an interview with a White House official about the executive order; so far, there has been no response.

Revision(ist) history

In many respects, the absence of big, ambitious plans may be a good thing. Despite Trump's campaign bluster about "the cyber," the federal government was already making significant steps forward in the wake of the Office of Personnel Management breach and the "cyber-sprint" that followed. The adoption by the Trump order of the direction set by the Obama administration is, in part, indicative of how non-political federal government cybersecurity policy is (or at least should be).

But the level of detail in the order, compared to the draft order that was nearly signed back in early February, is also an indication of just how far the Trump administration has come in the past two months.

The initial draft executive order, leaked in February, consisted largely of a call for a series of reports from federal agencies—some of them within 60 days. The order was pulled back the day it was scheduled to be signed, based on feedback from agency heads who weren't consulted in advance, according to several government sources Ars spoke with.

The pulled order was also drafted before the White House had even filled positions on the National Security Council's cybersecurity policy staff. Despite naming former New York City Mayor Rudolph Giuliani as head of an ill-defined cyber task force, the Trump administration struggled early on to fill policy roles on the National Security Council.

Joshua Steinman, a Navy Reserve officer who left the Defense Department to work at a cyber-security firm, was brought on as a cybersecurity director for NSC in January, just days after the inauguration. It's not clear what role Steinman played in the initial draft of the order or who else was on the cybersecurity policy team at the NSC. A source who participated in a NSC cybersecurity briefing told Ars that, in February, most of the roles on the team were being filled by recent college graduates.

An NSC spokesperson declined to provide Ars with information on the NSC's cybersecurity directorate staff. Since then, all queries have gone ignored. A webpage on the White House site for the NSC, which previously listed key staffers, is still blank.

There was no further forward motion on the order for over a month, likely because other problems within the NSC needed to be dealt with. The role of White House cybersecurity policy coordinator was finally filled on March 15 when the administration announced that the job would be taken by Rob Joyce, the former chief of the National Security Agency Tailored Access Office.

The final order goes into much greater depth on policy goals and the means to achieve them. Reitinger said it's clear that a great deal of feedback from Department of Homeland Security, Department of Justice, and Department of Commerce officials is reflected in the final order.

One cloud (or more) to rule them all

One key element of the executive order is a push to accelerate the federal government's move toward the use of shared information systems and security infrastructure, including cloud services. The executive order calls for government agencies to "show preference in their procurement for shared IT services, to the extent permitted by law, including e-mail, cloud, and cybersecurity services."

The order also calls for a review by the recently formed American Technology Council to determine:

...the legal, policy, and budgetary considerations relevant to—as well as the technical feasibility and cost effectiveness, including timelines and milestones, of—transitioning all agencies, or a subset of agencies, to one or more consolidated network architectures; and shared IT services, including e-mail, cloud, and cybersecurity services.

According to Flatgard, this is, in effect, straight out of the strategy put forward by the Obama administration's CNAP. But the Trump executive order "really takes that and goes into much more detail, and further," said Reitinger, "to say we're going to move people to common architectures, common e-mail services, and put them on shared and cloud IT and cybersecurity services. And to have that focus specifically under an executive order with the president's signature, I thought, was extremely helpful."

Flatgard said the push for even further consolidation of infrastructure, which "is exactly what we said in the CNAP, and exactly what we worked on over the last year," was "great." But to pull it off, he noted, "we need to have more consolidated procurement and to get good tools people actually need into that shared services marketplace. You're not going to be able to tell people to use shared services if there's nothing that's good enough."

As far as the American Technology Council review goes, Flatgard noted again, it "is exactly what we said in the CNAP last year." The order properly identifies that "most of the problem isn't security," Flatgard explained, but "it's that Federal IT infrastructure is completely out of whack. So I completely agree with this and appreciate the Trump administration's endorsement."

The Trump order also calls for all agencies to use the NIST Cybersecurity Framework to guide their own cybersecurity risk management. But much of the NIST framework was already part of much more detailed cybersecurity regulations published by the Office of Management and Budget during the Obama administration. It is similar in many ways to the requirements set out by NIST under the Federal Information Processing Standards (FIPS) that agencies are already supposed to be following.

"The risk management stuff in the order is not new," Reitinger acknowledged. "It has been around for a long time. But I think it's very valuable to have an executive order talk specifically about how that's going to be done, to focus on accountability, and to say that the Cybersecurity Framework, which was developed primarily around critical infrastructure, is going to be used almost exclusively within the federal government as well."

The invisible hand

Another important part of the order is its "market transparency" provision. The order aims to increase the accountability of publicly traded companies that own critical infrastructure by making information on their cybersecurity practices known to the public (and shareholders). Again, Reitinger noted, "this is not something that's a huge departure from past policies. It's just going a little bit further and using a new term."

The Obama administration attempted to create a similar effect with President Obama's executive order of February 2013 and with a legislative proposal the Obama administration delivered to Congress in May 2011. Each sought to essentially "name and shame" companies that failed to use basic information security risk reduction practices.

The Trump order seeks to rebrand "name and shame" as the more capitalism-friendly "market transparency," but it's essentially the same thing. The Trump order chooses to not use federal regulation to coerce companies into behaving properly as far as cybersecurity risk management goes, but instead commands:

The Secretary of Homeland Security, in coordination with the Secretary of Commerce, shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days of the date of this order.
This doesn't, on its surface, appear to have much in the way of teeth in it. And there's a problem with utilities in particular: many of them are not publicly traded companies, or they are at least not as beholden to shareholders as others are.

The order also creates a "Resilience Against Botnets" task force, instructing the Secretary of Commerce and Secretary of Homeland Security to coordinate an investigation into ways to reduce the threat of distributed denial of service attacks against Internet and critical infrastructure. "The Secretary of Commerce and the Secretary of Homeland Security shall consult with the Secretary of Defense, the Attorney General, the Director of the Federal Bureau of Investigation, the heads of sector-specific agencies, the Chairs of the Federal Communications Commission and Federal Trade Commission," and other "interested" agencies, the order mandates, and report back to the president with recommendations in 240 days.

Flatgard said the botnet policy appears to be a codification of a more informal botnet task force initiative out of the Federal Bureau of Investigation. The FBI has been a partner in a more international effort to corral botnets. And the 240-day deadline for a report does not bode well for any new immediate action. As Reitinger observed, a much more urgent emerging Internet security risk isn't directly addressed by the order: the Internet of Things (IoT) devices that have been harnessed in some of the most devastating recent botnet attacks could have much broader implications than taking down websites.

Kicking it down the road

Unfortunately, some of the more solid policy concepts behind the Trump order are probably years away from having an impact. And that's if they are even completed. For instance, the order calls for a 90-day review at the agency-level of security issues, followed by a 60-day review by OMB of any impediments in budgeting and policy that need to be addressed to fix those issues.

"I think that's great," said Flatgard. "And if that becomes a regular cycle, where OMB is really, thoughtfully reviewing the budget requirements, that could lead to potentially bold moves."

The problem with the policy is its timing. "We're already four months into the administration, and the deadline for OMB turning around that report is five months from now," Flatgard explained. "So realistically, any budgeting suggestions that are going to come out of it—and I'm not optimistic they're going to hit their deadlines, but even if they do and come out with these sweeping budget proposals based on their reviews—you're looking at them being addressed in the 2019 or 2020 budget at the earliest."

And the odds of a budget successfully passing in a mid-term election cycle, he noted, are slim.

-Arstechnica