Cyber EO: Positive Provisions, Unfortunate Omissions and Excessive Reporting

The White House has recently issued an Executive Order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Order is broad in scope, and features positive provisions, some unfortunate omissions and a seemingly excessive set of reporting requirements.  Let’s take a look.

The Order begins by asserting that cybersecurity is an enterprise belonging to the Executive Branch, and boldly states that agency heads will be held accountable for the cybersecurity posture of their organization.  Clarification of accountability is a positive step, but the order does not specify the consequences to an agency head if their organization’s cybersecurity is wanting.  It also calls for written justification of risk actions – especially acceptance of risk – but allows each agency to self-assess.  Independent assessments would yield more reliable results than self-assessment.

The Order goes on to mandate modernization of Federal IT systems, correctly noting that modernization is an ongoing process and not a one-time effort.  It also requires accompanying budget analyses, to assess the financial burden required for modernization, and tells agency heads to show preference for shared services, particularly cloud services.   This is a positive step, but may be redundant with the 2014 update of FISMA, “Federal Information Systems Modernization Act,” and does not mention former Federal CIO Tony Scott’s ideas for stimulating and financing modernization.

The Order also directs agency heads to align cybersecurity efforts with the “Framework for Improving Critical Infrastructure Cybersecurity,” promulgated in 2014 by the previous administration.  The intent of that document, which this Executive Order reiterates, is to use business drivers to “apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.”  Like many initiatives of this nature, the intent is worthy, but the effect may simply be to generate more paperwork and unproductive bureaucratic activity.

The EO also outlines measures for protecting critical infrastructure.  Interestingly, it specifically mentions botnets and distributed threats – a surprisingly technical requirement – and encourages companies providing critical infrastructure to be as transparent as possible regarding their cybersecurity practices.  The transparency requirement is interesting, and a bit cryptic; it will be interesting to see how industry reacts.

Broadening its scope still further, the EO urges close examination of America’s cybersecurity prowess in the context of military warfighting, and demands comprehensive action to maintain a superiority in cybersecurity warfare capability, which generally means refers to offensive cyber security.  This is a broad mandate, but it will be useful if enacted successfully.

Finally, the Order includes measures to enhance development of a trained cybersecurity workforce, although it merely seeks for assessment and attendant recommendations.  Presumably, guidance on how to improve the cybersecurity workforce is forthcoming, and will be based on the results.

The Executive Order, then provides positive direction regarding accountability, ongoing modernization, financial planning, and development and maintenance of an offensive cybersecurity capacity.  However, the EO also requires numerous reports, and drives alignment with the “Framework for Improving Critical Infrastructure Cybersecurity,” a predominantly bureaucratic initiative that requires more paperwork in an area already overburdened with documentation and reporting requirements.  The Order also fails to address some major problems plaguing U.S. Federal cybersecurity programs:  lack of independence in security assessments, and disproportionate share of cybersecurity budgets going to compliance over tangible security.