The Trump administration’s long awaited cyber-security executive order is finally here, and while it adds a number of new reporting requirements and includes the Office of American Innovation, run by Trump son-in-law Jared Kushner as a major player in the cyber-security build-up, it doesn’t have the ability to actually implement changes.
New steps taken by the EO include a change in the accountability of agencies of the executive branch by making agency heads personally accountable for their organization’s security performance. This eliminates a previous practice of agency heads delegating the responsibility to their IT department, thus leaving the agency head free of commitment.
The EO also includes an effort to modernize the executive branch IT systems, to encourage workforce development, to adhere to national standards and to help develop protections for critical infrastructure.
Critical infrastructure planning and reporting includes an effort to work with the companies that own and operate such things as power generation facilities to help them protect themselves against attackers. In addition, it requires detailed reports of the consequences of a successful attack, including a requirement to analyze widespread power outages that could last for weeks.
However, the primary requirement in the EO is a series of reports with varying deadlines that appear to be designed to create a baseline to broadly coordinate security efforts throughout the executive branch. In that sense, the order is descriptive rather than prescriptive. Actual changes will have to come in a subsequent EO.
The EO that was finally finished in April and presented on May 11 had been through a number of drafts, some of which had leaked and had created consternation in the security industry. The final version, however, has been widely accepted because it moves the ball forward in a number of areas mentioned above. While the EO doesn’t specifically include help from the private sector, it does at least make important strides in the government.
The change in accountability, for example, is very important. Previous cyber-security orders allowed agency heads to delegate the task to people in the IT department who had neither the authority nor the staff to enforce it. This change would mean that the head of an agency such as the Office of Personnel Management would now be responsible in a situation where their failure to provide adequate security led to a major breach.
You may have noticed that when such breaches have happened in the past, heads didn’t roll because the responsibility had been delegated away. This EO would change that.
The EO also changes the rules for procurement of IT systems by the executive branch by requiring that they meet modernization goals. Unfortunately, a depressingly large percentage of the computer systems in use by the executive branch are so antiquated that modernization is an impossible dream. Some of those systems were old when I was a young naval officer working at the Defense Logistics Agency decades ago, and they’re still in use.
With IT systems so old, modernization becomes more a matter of rewriting code and creating entirely new systems, tasks that can take years and cost billions. But without such a level of effort, those old systems become impossible to secure.
The plan to run the reports through the new Office of American Innovation may help the reporting and subsequent plans become more consistent, and perhaps even base them on best practices. Likewise, the requirement that security plans be consistent with NIST standards may help government systems move past their current status in which they’re islands of IT surrounded by moats of unique systems that are impossible to secure.
In addition, the EO’s reporting requirements are now consistent with the nature of the data system being evaluated. National security-related systems are now under the purview of the Secretary of Defense and the Director of National Intelligence. Other systems are under the purview of the Department of Homeland Security. What’s missing from the EO are directions for the future and, more important, funding.
Without some overall direction, the reporting requirements are simply a look into the past. Without funding, there’s no way to implement changes, regardless of how important or well-intentioned they may be. The executive branch does not have the means to pay for its efforts without Congress, and that means that Congress must step up to do its part in cyber-security. Unfortunately, Congress in recent years has been unwilling to spend the money to make federal systems secure.
The result is that the cyber-security plan outlined by the president and his administration has the right intentions, but it’s unable to move beyond that without help. That same inability to produce results has been a consistent factor in the poor state of cyber-security in federal IT systems for years.
Without a commitment from all branches of government to move forward, the new EO becomes simply the latest in a long series of unrealized opportunities. The only way to change that is for the president to find a way to get Congress to act. The best way might be for the private sector to convince legislators that their failure to act has major adverse consequences for all of the industry.