President Donald Trump’s cybersecurity executive order is moving along, according to private sector advisers, and could be signed by the middle of March — or not.
Sam Palmisano, former IBM CEO and vice chairman of the Commission on Enhancing National Cybersecurity, told an audience gathered for a March 6 event at the Center for Strategic and International Studies (CSIS) that his sense was maybe “within a week or so we could see something.”
“But I would have said that two or three weeks ago as well, so I don’t want to set a bar for them,” Palmisano said when asked about the EO’s publication. “They’re working through the process.”
White House watchers have been waiting since late January for the cyber EO to drop. Rumor had it the order was scheduled to be signed Jan. 31, but after Trump met with public and private sector cyber experts, he decided to pull back its release.
“I think we’ll all be looking very closely to see what the EO says, and certainly appreciate what the administration is doing in taking its time on the deliberate process it’s gone through with the EO and what the outcome will be,” said Kiersten Todt, the commission’s executive director and moderator of the CSIS event. “I think one of the things that’s been on everybody’s mind has been the EO. The good news is who would have thought four, six, even maybe three years ago, that we’d all be waiting with bated breath for an EO on cybersecurity. But we are and that’s a fantastic thing, and that I think demonstrates the importance of this issue and how we’re all looking at the criticality of it both for national security as well as economic security.”
A briefing by a senior administration official back in February offered some clues as to what could be included in the order, some of which were part of the discussion at the CSIS cybersecurity panel.
One of the main takeaways from the February briefing was that the Trump administration wants department secretaries to be held more accountable for managing their agency’s cyber risks. The draft order would require agency senior leaders to implement the cybersecurity framework developed by the National Institute of Standards and Technology to measure and mitigate risk.
CSIS’ Cyber Policy Task Force released its own recommendations to the incoming of administration in early January, entitled “From Awareness to Action.”
Steven Chabinsky, a CSIS task force member and partner with White & Case, said there’s no doubt agency heads should have cyber responsibilities, but added, “I can’t help but caution that they may be being setting up to fail.”
Agency heads won’t have $600 million and 2,000 people working on cybersecurity full time like private-sector stakeholders recommended to the task force, Chabinsky said. A workforce of cyber-skilled people could be moving not only from agency to agency, but also back into the private sector, and procuring technologies will also be a challenge for agency heads, he said.
“I agree that they need responsibility, but that responsibility in my mind is a leadership role, that will bring to the fore what the real issues are,” Chabinsky said. “If we look at the last draft executive order … we see a big focus on risk management principles, which include assessing what the risks are, which I think every leader must do, and addressing how you’re either going to mitigate or accept that risk and why, and that every leader can do.”
The federal cybersecurity commission released its report in December 2016, and it includes 53 specific action items that deal with everything from public awareness and education to privately-owned critical infrastructure, state and local government cybersecurity, and the “Internet of Things.”
“We didn’t address some things not within our scope. We didn’t address the encryption issue for example, and we didn’t address the ‘dot-mil,’ the military side of things,” said Tom Donilon, chairman of the cybersecurity commission and a partner with O’Melveny & Myers. “But I do think that part of the agenda that the new administration should work on in addition to other things … is really a revitalization of trust between the federal government and the private sector. That I think is one of the great prices of Edward Snowden’s horrific disclosure of some of the most important information in the government. I would hope that would be part of the agenda, too.”
Karen Evans, national director of the U.S. Cyber Challenge, is a CSIS task force co-chairwoman. In response to a comment about the current administration’s perceived lack of organization in staffing its cyber leaders, Evans pointed out that in CSIS’ report, experts looked at what roles needed to exist.
“You don’t need a chief information officer, a chief innovation officer, a chief information security officer, a chief digital officer,” said Evans, a former administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget. “There are so many chiefs in these agencies. I think you might want to take off the lens of this is the traditional way of looking at it. It’s an opportunity to be able to say what do you really want these roles to do and what do you really want these jobs to accomplish. Just because certain positions aren’t filled doesn’t mean that they’re not working on the issues and the policies aren’t being discussed.”
Agency senior leaders to be held more accountable for cybersecurity