As administration drafts new cyber order, experts call for more action, fewer policies

Before Greg Touhill’s term ended as the first federal chief information security officer, he came to an important conclusion: agencies don’t need any more policies around cybersecurity and technology.

In fact, Touhill said on Jan. 23 that the Office of Management and Budget had identified 63 policies that needed to be rescinded under an initiative called Project CRUFT. Cruft is a term used in the software development process that means “dirty, unpleasant, extra, sloppily implemented, duplicated elsewhere or simply useless,” according to a TechTarget whitepaper on dev/ops.

“The success measure is not the number of policies, but how well you execute them. My focus is on execution and follow-through,” Touhill said at the Institute for Critical Infrastructure Technology (ICIT) Winter Summit in Arlington, Virginia. “I expect in the next coming weeks you are going to see a rescission of those policies. For example, why do we require every CIO out there to certify their systems are Y2k compliant? That is just adding drag to organization. I think we’ve successfully passed it. Follow-through is critically important. You need to be able to execute. That is something in the federal government, and I’d contend in the private sector too, this is a deficiency we all need to work on.”

As Touhill detailed his three recommendations around cybersecurity for the next administration, the Trump White House was busy writing yet another cybersecurity executive order calling for a host of studies and recommendations. To many experts, it feels like the Trump folks are paving the proverbial cyber cow path — more studies will just delay the real work.

Advertisement

The Washington Post obtained a copy of the draft on Jan. 27.

The draft EO calls for three 60-day reviews and one 100-day review of various cyber capabilities.
For instance, the preliminary memo says within two months the Secretary of Defense must submit to the president a review and initial recommendations for how best to protect national security systems and how to enhance protections of critical systems run by the civilian agencies and private-sector infrastructure companies.

Another section of the draft EO requires recommendations within 100 days for how best to get the private sector to adopt cyber protections.

A third section wants a review of the nation’s cyber adversaries, including capabilities and vulnerabilities, within 60 days.

“I believe it is prudent for the new administration to perform a review of cybersecurity risks. Assessing threats and vulnerabilities is an appropriate methodology and consistent with textbook approaches to the issue. Frankly, we should continually be assessing our risk,” Touhill said in an email to Federal News Radio on Jan. 27. “Fortunately, they are not starting from a standing stop. Each of the review areas already have a significant amount of information available from the previous administration’s Cyber Sprint, Cybersecurity National Action Plan and high-value asset assessment efforts. Additionally, the Cybersecurity Workforce Strategy, issued in July 2016, and the data gathered in its preparation should contribute extensively to the proposed review. I am hopeful they will leverage all available existing information.”

The Trump administration’s decision to develop its own cybersecurity order is not surprising but still disappointing.

The problems with federal agency networks, specifically, are well known. The Obama administration folks documented them well in the State of Federal IT report.

The report offered four findings around cybersecurity that focus on procurement, workforce, the need for high visibility initiatives and a model of collaboration between OMB and the agencies.

And there is little disagreement about what needs to be done to improve the nation’s technology workforce as well as how to protect the private sector’s critical infrastructure.

“Since it’s about the fourth time we’ve done this review maybe we will take it serious this time,” said Bob Lentz, president of Cyber Security Strategies, and a former Defense Department cybersecurity executive. “I wish they would have emphasized IoT stronger as this is the game changer for next decade.”

Shawn Henry, president of Crowdstrike Services and a former executive assistant director of the FBI, who oversaw computer crime investigations, put it more succinctly.

“Most of the order has been completed previously, so the reporting already exists,” Henry said in an email to Federal News Radio.

Should the EO become final, it would be the 11th since 2001. President Barack Obama alone signed six cyber-related orders:

  • October 2011 — Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
  • February 2013 — Improving Critical Infrastructure Cybersecurity
  • October 2014 — Improving the Security of Consumer Financial Transactions
  • April 2015 — Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities
  • February 2016 — Commission on Enhancing National Cybersecurity
  • December 2016 — Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber- Enabled Activities

Both the Obama administration and President George W. Bush administration performed cyber policy reviews.

The Bush administration developed a set of initiatives through the Comprehensive National Cybersecurity Initiative (CNCI) in 2008. The Obama White House followed the CNCI with its own 60-day review in 2009 that eventually led to 10 near-term actions.

Touhill also encouraged the new administration to extend its outreach to include key players including the Office of Personnel Management, the National Initiative for Cyber Education and private sector experts.

“I recommend that they consult with the sector coordinating councils from each of the 17 critical infrastructures,” he said. “The new administration ought to hear directly from the private sector’s representatives on what their challenges are in balancing cyber risk against corporate goals before launching what could turn out to be just another well-intentioned government program that actually doesn’t contribute value to the private sector.”

While no one would argue against the new administration learning and understanding about the cyber risks, vulnerabilities and opportunities agencies, industry and critical infrastructure providers face taking two-to-four months to get moving on potential and real solutions are frustrating, to say the least.

The groundwork laid over the two administrations over the past decade should be more than enough to have a plan of action in place in the next 30 days.

Return to the Reporter’s Notebook