While May 11 saw the release of the long-awaited Trump Administration Cybersecurity Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 1 saw the less public release of an important companion document called Establishment of the American Technology Council. Focused on IT modernization and the upgrade of legacy IT in federal networks, this document sets the context for future federal agency cybersecurity policies yet fails to prioritize cyber protections while doing so.False Starts, with a Right TurnThe promised 90-day deadline for a cyber report and review passed without release of a final document, leaving agencies in a holding pattern and in a position to implement the previous Administration’s policies without updated guidance. The 11 May Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, went through successive iterations, many of which were leaked to the media and well0connected subject matter experts.Receiving less attention but developed in parallel, a second document emerged. It focuses on IT modernization and efficient delivery of digital services to the American public. This executive order sets the context for its companion document. The 1 May Executive Order, Establishment of the American Technology Council, creates an interagency process for IT modernization that diminishes the centrality of cybersecurity in national policy in favor of a fractured interagency process that eliminates a key coordinating mechanism for setting federal priorities.Conflicting ThemesWhile the the American Technology Council (ATC) prioritizes the efficient delivery of digital services through cross-governmental strategies and direction of federal agency IT modernization, it does so without articulating a clear cybersecurity risk awareness or vision. The ATC also creates a new peak organization with a director empowered to pursue Administration priorities under a decision-making framework reporting directly to the Senior Advisor to the President.This new policymaking venue supersedes line agency authority over cross-agency IT and cybersecurity risk judgments and leverages OMB authorities in ways that reinforce centralized oversight at the expense of agency decision making. Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure indicates a reset of federal agency cybersecurity and critical infrastructure policy yet refreshes the role of the cybersecurity coordinator.The Executive Order does, however, launch 15 studies of cybersecurity risks and vulnerability conditions reporting over a 60-to-240-day timeline. While this document does focus on refreshing agency roles addressing defense and defense industrial base cybersecurity priorities, electricity disruption and security of core communications services, it does so in a manner that dilutes the role of DHS and reduces the directness of federal risk prioritization and communication in favor of a more private sector-dominated approach.An additional detail is the absence of any overt tasking of the National Academies or the President’s Science Advisor, something which might be expected to narrow the technical uncertainties involved in reconciling the two panels’ work.“Content” versus “Newness”The two executive orders are studies in contrast. The ATC document directs an interagency effort to coordinate IT modernization and enhance digital services delivery. Interestingly, cybersecurity support and processes fit into this category (e.g., services provided under contracts such as FedRAMP) but are not called out in the order.Similarly, while modernization and the retirement of legacy IT systems is commonly viewed as a shortcut to enhanced cybersecurity, the ATC does not include a formal role for the Cybersecurity Coordinator in determining priorities. Indeed, the cybersecurity coordinator is not mentioned in the document at all. This suggests that closure of cyber vulnerabilities may be competing with IT modernization for both attention and resources.The informal task force approach adopted by the ATC contrasts sharply with the structured study portfolio and routinized agency accountability focus defined by the cybersecurity executive order. The reports and studies called for in that document have a scope spanning both federal agency networks and business operations and 16 critical infrastructures.Priority focus items are defined in three areas: (a) disruption of electricity supply due to cyber exploitation; (b) the defense industrial base Department of Defense war fighting capabilities; and (c) Executive Order 13636 – Section 9 critical infrastructure entities and assets – critical infrastructures of highest importance.A “Net” AssessmentConsidered together, these two executive orders promise a reset of federal IT policy that cannot help but impact cybersecurity priorities and programs. The synchronization of these efforts, however, is nowhere described beyond the obvious centrality of White House coordination mechanisms that appear to favor ad hoc, rather than tightly structured, decision-making.Neither of the executive orders articulate a legislative agenda to which Congress can be expected to respond in less than the year it will take to execute planned program reviews.Two sub-themes are clear: a shifting federal role and competing, potentially conflicting program timelines:Support vs. Leadership by Federal EntitiesA distinct departure in the Cybersecurity executive order is a shift toward federal action in support of private sector cyber risk management decisions rather than the articulation by the federal government of national cybersecurity priorities and mandates. The plain language of the order appears to subordinate federal action to the independent risk orientations of the private sector.The timelines for the 15 studies directed in the order also extend beyond the shorter-term IT modernization processes anticipated under the ATC. In short, IT modernization and cyber risk management may be on contrasting and competing timelines.Near-Term Action vs. A Restart – Potentially Divergent AgendasThe ATC and cybersecurity executive orders adopt differing approaches to transforming aspects of the IT (and operational technology or OT) environment. While IT modernization prioritizes efficient delivery of digital services through a shared services model, the replacement of legacy IT carries with it tangible risks. Yet the cybersecurity order launches 15 separate but interdependent studies that span a full year’s worth of work.In turn, these studies create a potential “bow-wave” of requirements for future policy and technical solutions that will need to be reconciled with IT modernization priorities. Coordination of pilot tests and lessons-learned from the private sector will be particularly challenging.Prospects for ImprovementThe Trump Administration has begun to define its approach to federal network and critical infrastructure cybersecurity. This approach has two parts: IT modernization and a zero-based review of federal and critical infrastructure vulnerability mitigation priorities. Close coordination of these two work streams is a requirement for effective policy.The composition of the ATC suggests that it will be the primary venue for setting broad priorities in federal agency cyber and IT technology investments. Effective cyber risk management requires that legacy technology refresh be synchronized with a security life cycle and critical data.The absence of a clear role for the cybersecurity coordinator places in doubt effective and subject matter expert-influenced planning that prioritizes cyber security. Meanwhile, the Cybersecurity executive order’s focus on electricity disruption, defense sector and warfighter cyber capabilities, and Section 9 critical nodes now competes with an IT modernization agenda for policy preeminence.Taken separately, the two executive orders describe coincident priorities. In combination, however, the two documents are likely to exacerbate potentially complex and competing priority agendas with different advocates and divergent resourcing requirements. Rather than presenting a clear vision for cybersecurity policy, the Administration has roiled the policy debate with little prospect of near-term resolution of potential conflicts.
About the Author: David Mussington PhD is Professor of the Practice and Director of the Center for Public Policy and Private Enterprise at the University of Maryland, and a Senior Fellow at the Center for International Governance Innovation (CIGI). Dr. Mussington served on the Obama Administration National Security Council staff, and was Senior Advisor for Cyber Policy at the Office of the Secretary of Defense.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.