January 31, 2017–As President Donald J. Trump prepared to issue an executive order (EO) on cybersecurity, it appeared his approach might differ slightly from how the Obama administration addressed the issue. In many ways, however, the order, which President Trump is expected to sign this week, will rely heavily on the work that was done during the Obama years, administration officials said today. The foundational documents that seem likely to influence the EO, for example, include the voluntary cybersecurity framework for critical infrastructure that was issued by the National Institute of Standards and Technology under President Obama and the report of the Commission on Enhancing National Cybersecurity.

The NIST framework has been widely praised for offering a flexible blueprint for improving the cybersecurity of entities large and small and for its reliance on input from the private sector.  The Commission on Enhancing National Cybersecurity, which issued its report in the waning days of the Obama administration, was designed in part to give the new administration some guidance (TRDaily, Dec. 2, 2016).

In developing its EO, the Trump administration looked through “all the commission reports and other external reports,” including the Obama cybersecurity commission, an administration official told reporters.  “We have taken some of those recommendations.”

“You will see that, for instance, requiring the use of the NIST framework is something that was recommended in that commission.  It’s a bipartisan issue.  It’s something we believe is a good recommendation and you’ll see President Trump directing it in his order,” the official said.

Where President Trump might differ is in demanding more accountability from agency heads, the official indicated.  “Agency heads are already obliged to manage their risk,” the official acknowledged.  “This is not new.”

“What we’re doing moving forward is attempting to make agency heads aware that they have a deep responsibility here as opposed to delegating it down to their CIOs [chief information officers] or more subordinate junior staff.  We want them to stay on top of it, and we believe that President Trump’s cabinet will do so,” the official said.

In remarks to reporters, President Trump confirmed that he would demand accountability.  “I will hold my cabinet secretaries and agency heads accountable – totally accountable – for the cybersecurity of their organizations,” he said.

The Office of Management and Budget will also continue to have a prominent role in cybersecurity.  While agency heads will secure their own networks, OMB will “assess and manage the collective risk of the federal executive branch,” an administration official said.

Despite concerns that Mr. Trump’s campaign rhetoric seemed to suggest that he would give the Defense Department more authority for cybersecurity at the expense of the Department of Homeland Security that does not seem to be the case.

At a meeting today to discuss the issue, DHS Secretary John Kelly was seated prominently beside President Trump and offered brief remarks about his department’s cybersecurity mission.  In an analysis of a draft cybersecurity EO that seems to have leaked from the White House, Charley Snyder, DoD’s former deputy director-strategic cyber defense and capabilities, and Michael Sulmeyer, DoD’s former director-plans and operations for cyber policy, noted that DHS’s role appeared to be undiminished. “The Trump administration is continuing the Obama administration’s approach to DHS’s role – that it should be the lead civilian agency for cybersecurity,” they said in a piece published on the Lawfare blog.  “Although it remains to be seen how DHS will fare in terms of any subsequent realignment of roles and missions, for now its role remains as before.”

Messrs. Snyder and Sulmeyer, however, expressed surprise that the draft EO did not mention the Federal Bureau of Investigation.  “We are not sure how to explain this, as the FBI and law enforcement secured an important role in cybersecurity early in the Obama administration,” they said.  “Perhaps this is an omission that will be corrected in a later draft.”

“Likewise, consideration of broader criminal and legal issues is missing from the order,” they added.  “U.S. statutes covering computer crime and surveillance, including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and others are in need of modernization to create a healthier environment for lawful computer security research and to ensure law enforcers have the right tools at their disposal to combat crime.”

“While the intent of the executive order represents a reasonable start to getting a handle on the cybersecurity challenges that await this administration, this appears to be another case where an executive order has not been coordinated with federal departments and agencies,” they said.  “Our concern is that the document’s authors are either unaware or dismissive of the substantial equities and capabilities of a broad swath of the government.”

The EO is also expected to call for the modernization of federal government information technology, an assessment of the cyber capabilities of U.S. adversaries, a review of U.S. capabilities in cyberspace, and incentives for the private sector to raise its cyber defenses. – Tom Leithauser, tom.leithauser@wolterskluwer.com

Courtesy TRDaily