The large companies that own and operate the nation’s internet and telecommunications backbones and those that run major online services will have to do more to tackle wide-scale automated cyberattacks, according to the latest draft of a Trump administration executive order.
The draft also instructs Cabinet secretaries and agency heads to use shared IT and cybersecurity services whenever they can, and to employ the National Institute for Standards and Technology’s Cybersecurity Framework as the tool for a mandatory risk management review. It tasks a White House adviser with reporting on the feasibility of transitioning the entire executive branch to a single IT network architecture.
The text of the draft order, which was originally slated to be signed this week, was posted online by the Lawfare blog.
It’s not clear why the EO, which has now been twice scheduled for signature, remains unsigned, although some observers suggested it was still being tweaked.
This week, Bill Zielinski, deputy assistant commissioner of category management at the General Services Administration, said this week at the Verizon Government of the Future Summit produced by FedScoop that it would be signed “very soon.”
The draft order tells the secretaries of Commerce and Homeland Security to lead an “open and transparent” consultation process to “identify and promote action by owners, operators, and other stakeholders of core communications infrastructure to improve the resilience of such infrastructure … with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
A preliminary version of their report is due after 240 days, a final one after a year.
The term “core communications infrastructure” is not defined in the EO and is likely to prove controversial because ownership of it implies some new cybersecurity rules — even if they come in voluntary or self-regulatory form.
Paul Rosenzweig, the George W. Bush administration-era DHS policy official who posted the draft after receiving identical copies from three sources, told CyberScoop the new category was “both obvious and indefinite.” Obvious because “attacks on the core of communications – such as the internet backbone and major telecoms – are of particular concern.” But indefinite “in that its precise breadth needs definition,” he said.
Rosenzweig said he expected the eventual definition would include large cloud providers like Amazon Web Services, but not applications and services such as Facebook or Netflix.
“In the end, however, the first task will be to more precisely define the scope of this initiative,” he concluded.
Most of the other provisions regarding critical infrastructure are notable for building upon the Obama administration’s cybersecurity policies, rather than replacing them.
One exception is a new policy goal to “promote appropriate market transparency of cyber risk management practices by critical infrastructure entities,” especially publicly traded ones — a provision impacting utilities, banks and telcos, along with all the 16 sectors declared “critical infrastructure” by DHS.
The draft also requires all federal agencies to adopt the NIST Cybersecurity Framework as a roadmap for a risk management review they have to conduct within 90 days.
Consolidated networks and shared services
The most radical proposals in the EO relate to federal IT.
Not only are agency heads told they must use shared IT and cybersecurity services “to the extent permitted by law,” but Assistant to the President for Intragovernmental and Technology Initiatives Reed Cordish is tasked with conducting a 150-day review to determine “The technical feasibility and cost effectiveness … of transitioning all agencies to one or more consolidated network architectures … [and] to shared IT services, including email, cloud services, and cybersecurity services.”
The impetus to shared services comes not just from a desire to be efficient and keep costs down, but also because it’s the only effective way to manage risk, said Zelinski.
“What we’ve heard consistently in our conversations with the new administration folks is they are very much interested in figuring out how we could manage risk in the federal IT enterprise,” he said.
The draft empowers OMB officials, including the federal CIO, to conduct a risk-management exercise across the whole federal enterprise, showing that the new administration is also cognizant of the IT risks outside of the operational cybersecurity landscape, like wasting money on duplicative systems and failed project development.
“The executive branch has for too long accepted antiquated and difficult to defend IT and information systems,” the EO states.
“They really are going beyond just that risk that’s associated with IT security, and they really are looking at the risks that are associated generally across IT,” Zelinski said. “How can we ensure that we identify those risks? How can we ensure that those risks, such as being able to implement successfully on those dollars that we spend in IT, that we’ve mitigated those risks and we’re able to execute on our programs.”
“The the focus on modernization is key,” said another former GOP DHS official, James Norton. “We learned from the OPM breach that legacy IT is a cybersecurity nightmare.”
He said he didn’t see the EO as centralizing power over IT. “It’s not that proscriptive,” he said. “It isn’t centralization so much as recognizing that everything’s connected. … it’s not micromanaging [agency heads] it’s just setting priorities for them.
In any case, he concluded, “It’s not the final text, so there might be tweaks before it’s signed.”
Billy Mitchell contributed to this report.