Mixed reviews for Trump’s Executive Order on cybersecurity

The reviews of President Donald Trump’s Executive Order (EO) on cybersecurity were coming in within hours of its signing yesterday afternoon, and they were most definitely mixed.

There was general agreement that the intent of the EO – delayed more than three months from late-January, when it was originally scheduled to be signed – was good.

Several experts called it “a good start,” and a few, including Jacob Olcott, vice president at BitSight and former legal advisor to the Senate Commerce Committee and counsel to the House of Representatives Homeland Security Committee, thought it was much better than a good start.

Olcott called it, “smart policy and a big win for this administration.”

But others, including Daniel Castro, vice president of the science- and tech-policy think tank Information Technology and Innovation Foundation (ITIF), were disappointed. Castro called it, “mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country needs to address its most pressing cyber threats.”

Below are comments from a range of cybersecurity experts on what they see as the strengths and weaknesses of the Trump administration’s first major policy document on cybersecurity:

Paul Rosenzweig, founder of Red Branch Consulting, former deputy assistant secretary for policy at the Department of Homeland Security and a regular blogger at Lawfare.

 "Not a lot of action,” he said. “I count 15 reporting requirements.  Perhaps it’s the start of a good policy, but only a start.”

Jacob Olcott, vice president at BitSight

In a written statement, Olcott praised the EO’s focus on several critical areas:

- “Federal agency cybersecurity, which we all recognize has been lacking,” he wrote. “The order demands an assessment of where things currently stand, a focus on secretary-level accountability, and a shift towards standardizing protections as described in the NIST (National Institute of Standards and Technology) Framework.”

- “Department of Defense (DoD) contractors and third party vendors to the government – often times the weakest link in security. This is an issue widely overlooked by the government and long overdue for White House-level prioritization.”

- “Critical infrastructure. It calls out a market-based approach to drive better security in this area, specifically suggesting that transparency to investors can be an important driver for enhanced cybersecurity.”

Olcott noted that there are a limited number of EOs that can be signed in the early days of a presidency, “and it speaks volumes that cybersecurity made the cut.”

In general, he said that the focus on, “executive-level accountability, securing the third-party ecosystem, and developing a market-based approach to securing critical infrastructure (is) exactly what cybersecurity needs now.”

Eddie Habibi, CEO and Founder of PAS

Habibi said the EO, “addresses the right areas of concern – updated federal systems, critical infrastructure, deterrence, workforce education, and more. Thankfully, the executive branch continues to emphasize securing critical infrastructure as a high priority.

“We were particularly encouraged to see deterrence take a front seat,” he added. “A nation-state cyber attack on the industrial control systems in a refinery that results in physical damage or injury is no different from dropping a bomb on that refinery. So long as attribution is clear, consequences must include the option of a proportional kinetic response.”

Joe Weiss, managing partner at Applied Control Solutions

Weiss, who is an expert on risks to industrial control systems (ICS), said he applauds the administration for its focus on critical infrastructure, but noted that the words, “control systems” and “SCADA” (Supervisory Control and Data Acquisition) aren’t even mentioned.

“I think their hearts are in the right place,” he said, “but this is more about IT. They mention data and data breaches, but I don’t think they had access to the right input.

“You look at who they mention – Homeland Security, the Attorney General, Secretary of Defense, the FBI, Director of National Intelligence – those are the wrong organizations if they want to protect control systems. They’re all good, but they’re not us.

“It’s kind of a gaping hole,” he said.

Daniel Castro, vice president of ITIF

In addition to his criticism above, Castro noted that a commission created by the Obama administration had, “left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order. While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”

Castro said he was surprised, given Trump’s belief in the private sector, that the EO relies so heavily on government. “The private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues,” he said.

Michael Overly, partner at Foley & Lardner

Overly called it, “a very solid, thoughtful first step in setting cyber policy for the nation,” adding that, “in a word, that means ‘accountability.’”

He also praised the inclusion of the NIST Framework for Improving Critical Infrastructure Cybersecurity, although he cautioned that it is designed to address critical infrastructure, and would not be a suitable guide for all businesses.

Finally, he applauded the focus on updating or replacing outdated government computer systems, but said that would be, “a monumental task,” given budget constraints.

Dana Simberkoff, chief compliance and risk officer at AvePoint

She called it, “an opportunity not only for agencies to assess and improve their internal cyber programs, but also to look at investments in education and the corporate space to empower a future generation to be privacy and security aware, and to encourage companies to ramp up their investments in technologies.”

Ed McNichols, co-leader of the Privacy, Data Security and Information Law practice at Sidley Austin, and former associate counsel to President Clinton

McNichols said the directive for federal agencies to share resources and work together is, “a sound move,” noting that, “having each agency run its own cybersecurity program creates tremendous inefficiencies and requires endless coordination.”

He also applauded the mandate to use the NIST framework for critical infrastructure. “Companies will find it easier to work with the government if the government and industry are using the same NIST framework,” he said.

Greg Martin, CEO of JASK

Martin called the EO “sensible,” but said the real need is for, “better funding, not necessarily more reports or strategic planning. The infrastructure spending bill that eventually goes out needs to emphasize cybersecurity improvements for these badly outdated systems. It will be expensive and hard, but it has to be done,” he said.

He said government needs to do more in some areas, however, including helping the private sector deal with nation-state threats.

And he said the EO did not address, “new risks in emerging areas such as IoT. More could be done, as we have already seen the vulnerability of our infrastructure in the Mirai botnet attack,” he said.