New Cybersecurity Executive Order: Reports, Reports, and More Reports
By Milton Mueller, Georgia Tech School of Public Policy
On May 11, the Trump administration finally released its Executive Order (EO) on cybersecurity. NTSC members who were hoping—or fearing—that the EO constitutes some kind of sea change in cybersecurity policy can settle back and relax. Despite a stormy beginning, the final "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" represents continuity and some needed clarification, not radical change.
As one commentator put it, what we have here is a "plan for a plan." Most of the EO action items are studies or reports. These reports may eventually lead to significant policy and organizational changes down the road, or they may just disappear into the mists of Washington, D.C. bureaucracy.
This final draft was the third iteration. The amount of attention devoted to it was probably inflated by the fact that the first version came out in late January around the same time as Trump’s ill-fated and provocative Executive Order on immigration. At the time, Trump was trying to show that he could make big, quick changes in the federal government that would reap political benefits with his base. But like the immigration EO, the first draft of the cybersecurity EO was not well thought out or based on interagency consultations. Fortunately, it was never signed and instead went through two subsequent revisions. There was a huge difference between the first and second drafts, but this final EO is only marginally different from the second draft.
So what does it do? There were three parts to it: the first about the cybersecurity of federal networks and facilities, the second about cybersecurity for critical infrastructure, and the third about “cybersecurity for the nation.”
Part 1: The Cybersecurity of Federal Networks and Facilities
Part 1 is all about the federal government getting its own house in order. Going forward, department heads will be accountable for cybersecurity within their own agencies. They can no longer point the finger at their IT staff when things go wrong. They are also required to conform to the National Institute of Standards and Technology’s (NIST) framework for cybersecurity best practices. The EO orders a report that will detail how to transition to modernized architecture and acknowledges these efforts will take money as well as improved management. Modernization of ICT infrastructure in the federal government was called for in an earlier version, but the realization that that takes money led to a new bill in the House, the Modernizing Government Technology Act.
Agency heads must produce reports in 90 days about their cybersecurity plans that will be jointly reviewed by the Directors of the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB). In one of the more interesting parts of the EO, the President leverages the American Technology Council created by his earlier, May 1 Executive Order. He calls upon its Director to coordinate a joint report from DHS, OMB, and the General Services Administration (GSA) regarding the feasibility of transitioning agencies to consolidated network architectures and shared IT services. Not much new here: this kind of Internet access and IT management consolidation has been going on inside the federal government for the past 15 years.
Part 2: Cybersecurity for Critical Infrastructure
Drawing upon the Obama administration’s Executive Order 13636 and Presidential Policy Directive 21 of February 12, 2013, Part 2 contains these components:
- Support to critical infrastructure entities. Asks for reports on the authorities and capabilities that agencies could use to help the cybersecurity of critical infrastructure.
- Supporting transparency in the marketplace. A report will examine the sufficiency of existing federal policies and practices to promote awareness about cyber risk management practices by critical infrastructure entities.
- Improving the resilience of core communications infrastructure. Sets a goal of reducing threats perpetrated by botnets.
- A major risk assessment of Electricity Disruption Response Capabilities involving the DHS, the Energy Secretary, and consultation with state, local, tribal, and territorial governments along with other stakeholders.
- A report on the cybersecurity risks facing the Department of Defense’s warfighting capabilities and the defense industry, including its supply chain.
Part 3: Cybersecurity for the Nation
Part 3 focuses more on cybersecurity in an international context. It calls for yet more reports on:
- Strategic options for deterring adversaries
- An engagement strategy for international cooperation in cybersecurity
- Workforce development and the competitiveness of US workforce cultivation relative to foreign nations.
People who follow and either make money on or are affected by the federal government’s cybersecurity efforts will have a lot to read after August 15, although parts of the forthcoming reports are likely to be classified. Although most of the EO’s immediate action items are studies or reports, those can be the beginning of significant policy change—precisely where the interests of NTSC members lie.
Milton Mueller is professor of public policy at the Georgia Institute of Technology, an internationally recognized scholar and author specializing in the political economy of information and communication, and co-founder of the Internet Governance Project.