Cybersecurity Executive Order Draft #2 Could Mean Higher IT Budgets

In a previous entry, I looked at the first draft of a potential White House Executive Order on Cybersecurity. It is noteworthy that the second version of this EO is significantly different from the first.

The latest draft, obtained and posted online by several sources, including the Lawfare blog and GovInfoSecurity, is entitled Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. As such, is broken down topically and addresses predominantly federal actions to assess and improve federal cybersecurity and to support greater critical infrastructure protection among key private infrastructures.

Cybersecurity of Federal Networks

The new draft EO takes much more of a traditional network- and risk- perspective to federal cybersecurity than the previous draft.  

• Agency Accountability Stressed – Accountability for the cybersecurity of federal networks sets the tone from the beginning: “The President will hold accountable heads of executive departments and agencies (Agency Heads) for managing the risk to their enterprises.  In addition, because risk management decisions made by Agency Heads can affect the risk to the executive branch as a whole, it is also the policy of the United States to manage cyber risk as an executive branch enterprise.” The White House would put agency head on notice that for unmitigated risks and things like the failure to install security patches, the cyber buck will stop with them.
• Risk Management – If the message above was not clear enough, the EO states that agency heads will be held accountable “for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or systems.” 

Agencies are expected to use NIST’s Framework for Improving Critical Infrastructure Cybersecurity (which is currently in the comment period for proposed updates) to manage their agency’s cyber risk.  Further, each agency would need to report on their Framework implementation posture to the Office of Management and Budget (OMB) Director and the Secretary of Homeland Security within 90 days of the date of the order for assessment. Two months later the Director and Secretary would submit to the President a plan to overcome any insufficiencies – including any budgetary needs necessary to managing risk – and update and align any policies, standards, and guidelines with the Framework.

IT Architecture Modernization

The EO states that, effective immediately, it is U.S. policy “to build a more modern, more secure, and more resilient Executive Branch IT architecture.” Two areas are noted for immediate attention:

• Preferences for Shared Services – Agencies are to show preference in their procurement for shared IT services, including email, cloud, and cybersecurity services.
• IT Modernization Plan – The Assistant to the President for Intragovernmental and Technology Initiatives, in cooperation with the heads of OMB, DHS, GSA and Commerce, would coordinate a report regarding modernization of federal IT within 5 months of the order, describing the technical feasibility, cost effectiveness, and timelines of transitioning all agencies to one or more consolidated network architectures, and of transitioning all agencies to shared IT services.

Critical Infrastructure Cybersecurity

The draft focuses much attention on critical infrastructure protection (CIP). To ensure that the federal government is ready to do its part to aid in the protection of the operation of critical infrastructure entities, the EO would have numerous national security, legal, law enforcement, and sector specific agencies take the following steps:

• Assess Authorities – Identify the authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure (CI) owners and operators (based on Obama’s EO 13636, Improving Critical Infrastructure Cybersecurity, from February 12, 2013), that if attacked, could have catastrophic effects on public health or safety, economic security, or national security. These federal agencies would also engage with these CI organizations to determine how agencies can support their risk management efforts and report back to the White House within 180 days on all of these findings and any recommendations for better supporting the cybersecurity of the CI entities.
• Support Transparency – The DHS Secretary would report on the sufficiency of existing federal policies and practices to promote appropriate market transparency of cyber risk management practices by critical infrastructure entities, within 90 days.
• Core Communications Infrastructure – The Secretary of Commerce would identify and promote action by owners, operators, and other stakeholders of core communications infrastructure to improve its resilience and to encourage collaboration to reduce the threats from botnets, etc. The Secretaries of Commerce and Homeland Security shall publish a preliminary report within 8 months and a final report within 1 year.
• Electricity Disruption Response Capabilities – DHS, Energy and others would conduct an assessment within 90 days of the potential scope and duration of a significant cyber incident against the U.S. electric subsector and our readiness to manage the consequences of such an incident as well as any shortfalls in assets or capabilities required to mitigate the consequences of such an incident. 
• Department of Defense Warfighting Capabilities and Industrial Base – The Secretary of Defense and others would report within 90 days on cybersecurity risks facing the defense industrial base (DIB), including its supply chain, and U.S. military platforms, systems, networks, and capabilities, and make recommendations for mitigating these risks.

Cybersecurity for the Nation’s Internet

Finally, the draft focuses on fostering an open, interoperable, reliable, and secure Internet. In support of this, the Secretaries of State, Treasury, Defense, Commerce, Homeland Security, the Attorney General, and others would assess the following:

• Deterrence and Protection – Within 90 days, report on strategic options for deterring adversaries and better protecting the American people from those who would use networked technology to disrupt the Internet.
• Internet Freedom and Governance – Within 180 days, report on continued actions to support the multi-stakeholder process to ensure the Internet remains valuable, reliable, and secure for future generations.

Federal Market Implications

One of the stated findings is that the executive branch has for too long accepted antiquated and difficult to defend IT and information systems and the modernization plans that would be forthcoming will naturally require the support of budgets and appropriations to implement. Assuming that OMB advocates for its modernization plans on the Hill and Congress goes along, we could see federal IT budget growth at levels we have not seen for several years. While optimism in this respect should be guarded at this point, if the need to modernize provides leap-frog potential for cybersecurity then several adjacent areas – from IT services and software to network infrastructure – could ride the coattails and see growth.

Some have concluded that, if enacted, the White House’s efforts to spur private sector critical infrastructure would increase costs on these industries. That may be true. The element in the draft EO that focuses on the cybersecurity risks facing the defense industrial base and its supply chain could result in greater requirements on contractor firms to provide assurances that their systems comply with federal standards, existing or new, especially when those systems access, process, and/or store federal data. It is also conceivable that any newly identified supply chain risks could result in additional restrictions on DIB companies’ use of certain components and software. All this could raise operating costs that may or may not be able to be passed on to their federal customers.