Governance & Risk Management

Revised Cybersecurity Executive Order Seen as More Moderate

Security Experts Say Draft of Revamped Trump Order Builds on Obama's Policies

President Donald Trump

A heavily revised draft of President Donald Trump's executive order on cybersecurity lays out initiatives to build upon the previous administration's IT security programs rather than to radically change them.

See Also: Move Beyond Passwords

"Much of this quite literally could have been written by the Obama administration," says Paul Rosenzweig, who served in a top Department of Homeland Security policy role during the George W. Bush administration. "It's a reasonable, moderate, incremental set of approaches that reflects a different way of thinking about cybersecurity than President Trump has advanced in some of his other executive orders, which have been more disruptive or transformative in intent."

An earlier version of the draft emphasized the role of the secretary of defense, while the new version focuses on agency heads working with the director of the Office of Management and Budget and others (see Report: Trump to Call for Cybersecurity Review).

Trump put plans to sign a cybersecurity order on hold earlier this month, pending a revamp. It's not yet clear when he plans to sign the revised order, or whether it could be changed yet again.

Toning It Down

Some observers say the revisions in the proposed order, a copy of which was obtained by Information Security Media Group, could be attributed to the influence of Thomas Bossert, assistant to the president for homeland security and counterterrorism, a high-ranking White House post that has cybersecurity as part of its portfolio. "Tom Bossert, so far, seems to be a sober and thoughtful addition to the White House," says Gabe Rottman, deputy director of the freedom, security and technology project at the Center for Democracy & Technology, a civil liberties advocacy group.

The latest version of the draft executive order would hold cabinet secretaries and agency directors responsible for the security of their organizations' information assets, as is the current law. "Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of information or systems," the revised draft order states.

Among the most dramatic changes the revised draft proposes is to address cyber risk using a governmentwide approach, treating the executive branch as a single entity when assessing information risk. That's because agency heads currently make risk management decisions that affect other agencies as well as the executive branch. "So long as the .gov network is as interconnected as it is, for all the good reasons that it is, the security of the network is pretty attributable to its weakest link, so you have to treat is as an entire enterprise," Rosenzweig says.

Using NIST Framework

The draft executive order would require federal agencies to adopt the NIST cybersecurity framework as a roadmap for how they could reduce security risks. "The NIST framework gives you a common language to describing your cybersecurity issues," says Herbert Lin, a senior cybersecurity research scholar at Stanford University who served on Obama's Commission on Enhancing National Cybersecurity. "Given all of the confusion about what cybersecurity actually calls for, that's really a good thing."

During the presidential campaign and early in his tenure, Trump spoke of cybersecurity in militaristic tones. And the earlier version of the cybersecurity executive order designated the defense secretary as co-chair of a review of the government's cyber vulnerabilities and capabilities, provisions excised in the revised draft.

Still, the latest draft is seen by some as favoring DoD over DHS in implementing government cybersecurity policy over the mostly privately owned critical infrastructure. Although the language of the revised draft executive order designates the DHS secretary as leading the initiative to identify vulnerabilities among the critical infrastructure, other wording could be interpreted as giving the military and intelligence agencies more sway in securing civilian critical infrastructure.

Serious Concern Raised

"The critical infrastructure section ... requires those entities to identify 'authorities and capabilities' that are currently lacking with regard to critical infrastructure," Rottman says. "One could absolutely see that leading to calls for additional surveillance authority - critical infrastructure includes telecommunications, for instance - or other extraordinary powers. Given the expansive view of executive power we've seen from the new administration in other contexts, this is a serious concern."

Rottman sees provisions in the revised draft aimed to defend against botnets as another way the military could muscle in on civilian IT security governance. That section, on core communications infrastructure, calls for the commerce secretary to take the lead in coordinating with the DHS secretary on improving resilience and encouraging collaboration among infrastructure operators to reduce cyberthreats, such as botnets. That provision calls on the commerce and DHS secretaries to consult with a number of agencies heads, including the secretary of defense and FBI director.

"This raises concerns about the unintended consequences of 'botnet takedowns,' where law enforcement can remotely access infected computers, those of botnet victims, and remove malware," Rottman says. "It raises concerns about government surveillance of the big networks, as you need to keep an eye on packet traffic to identify botnet communications. We'll be keeping a close eye on the implementation of this section."

Unanswered Questions

The revised draft of the executive order lays out the agenda the Trump administration would take to secure the government's and nation's critical information assets, but it leaves many questions unanswered.

For example, the draft would require agency heads to be responsible for their organizations' IT security. "That's clearly a good thing, but how do you hold somebody accountable?" Lin asks. "It's not like in the private sector, where you say, 'I'm going to hold up your stock options or something like that."

Lin says one option could be firing an agency head if he doesn't carry out his responsibilities, but that could prove impractical. "If the only thing that you have is execution, you have to only execute people doing things that are worth executing [them for]," he says. "And not every breach, not every failure is worth executing somebody for. ... You need something at a lower level other than firing this person."

Delay Allowed for Changes

Trump had been expected to issue the cybersecurity executive order earlier this month. But some lawmakers and IT security policy experts had criticized Trump's support of more DoD involvement in civilian cybersecurity, as spelled out in the original draft. Also, the original draft did not assign a role to the FBI, the federal agency that enforces IT security laws, in developing new government cybersecurity policy; the new draft EO does.

During the presidential campaign, Trump said among his first actions would be to order a comprehensive review of the government's and nation's cybersecurity vulnerabilities and capabilities. And, indeed, the draft EO does just that.

Melissa Hathaway, a senior cybersecurity adviser to Presidents Barack Obama and George W. Bush who led Obama's cybersecurity review when he took office eight years ago, calculates the draft executive order would require 11 reports to be written over the next 90 to 150 days. This comes at a time when the Trump administration is in the nascent stages of building staffs dedicated to implementing cybersecurity policy in the White House and other agencies, such as DHS.