Soon after he took office, President Trump issued Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Given that the President spent much of his campaign and early Presidency trying to distance his Administration from that of his predecessor, commentators noted a surprising amount of continuity between Trump’s cybersecurity EO and the Obama Administration’s approach to cybersecurity. A focus on critical infrastructure and transparency from publicly traded companies that control it; an emphasis on the public and private sectors working together; reliance on standards promulgated by the National Institute of Standards and Technology; a focus on protecting the Federal Government’s networks, including by taking steps toward using shared infrastructure such as the cloud – EO 13800 builds on existing policies and initiatives in each of these areas and others.
A period of relative calm with respect to matters of federal cybersecurity policy followed the issuance of EO 13800, as federal departments and agencies set about completing the various reports the Order assigned them. Recently, however, this relative calm abruptly ended with a flurry of cybersecurity-related activity. In late May, the Trump Administration decided to eliminate the White House cybersecurity coordinator post, and soon thereafter the Administration released a number of documents requested by EO 13800: (1) a report jointly issued by the Departments of Commerce and Homeland Security on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (the “Botnet Report”); (2) recommendations from the Department of State on Protecting American Cyber Interests through International Engagement and on Deterring Adversaries and Better Protecting the American People From Cyber Threats; (3) an Office of Management and Budget (OMB) drafted Federal Cybersecurity Risk Determination Report and Action Plan; and (4) an assessment jointly issued by the Departments of Energy and Homeland Security of Electricity Disruption Incident Response Capabilities. As Data Matters had previously noted, the elimination of the White House Cybersecurity Coordinator appeared to mark a sharp departure from the policies of the prior Administration. The four recent publications, however, show that this divergence may not be a general trend, as all four reports demonstrate general continuity on many key areas of federal cybersecurity policy, including the importance of the government’s partnerships with private sector and engaging with international stakeholders to develop cyber standards and norms.
Botnet Report. EO 13800 directed the Secretaries of Commerce and Homeland Security to publish a report that would “identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks.” On May 22, 2018, the Secretaries issued the Botnet Report, which, consistent with longstanding Federal policy, promotes the longstanding partnership between the federal government and the private sector in combating cyber-attacks. As the Botnet Report states, “[w]hile some actions directly related to the federal government are clearly appropriate for the government to lead,” there should be “a way for stakeholders to collaborate with government as they move forward on those actions that are best accomplished through private-sector leadership.”
Indeed, for more than a decade, public and private sector stakeholders have worked together to defend critical infrastructure against growing cyber threats, including botnets. For example, in 2013, the Federal Bureau of Investigation (FBI) partnered with Microsoft to disrupt more than 1,400 Citadel botnets. Subsequent joint public-private efforts targeted a botnet known as “Beebone” in 2015 and the more recent “Mirai” and “Reaper” attacks.
The Botnet Report signals the Federal Government’s desire to continue this public-private partnership and to focus on steps that can be taken to prevent the attacks in the first place. In particular, the Report noted that the “opportunities and challenges in working toward dramatically reducing threats from automated, distributed attacks can be summarized in six principal themes”:
- “Automated, distributed attacks are a global problem,” with many of the compromised devices causing attacks inside the United States operating extraterritorially, emphasizing the importance of international collaboration.
- “Effective tools exist, but are not widely used,” as the “the tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available,” but only used in “selected market sectors.”
- “Products should be secured during all stages of the lifecycle,” as it is too easy to assemble botnets when devices lack the ability for effective patching or “remain in service after vendor support ends.”
- “Awareness and education are needed,” as users, developers, manufacturers, and infrastructure operators all can lack the knowledge and capabilities to protect the Internet.
- “Market incentives should be more effectively aligned,” as developers and vendors “are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates.”
- “Automated, distributed attacks are an ecosystem-wide challenge” that no “single stakeholder community can address . . . in isolation.”
The Report further identified “five complementary and mutually supportive goals that, if realized, would dramatically reduce the threat of automated, distributed attacks and improve the resilience and redundancy of the ecosystem.” These goals are:
- “Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.”
- “Promote innovation in the infrastructure for dynamic adaptation to evolving threats.”
- “Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.”
- “Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world.”
- “Increase awareness and education across the ecosystem.”
State Department Reports. On May 31, 2018, the U.S. Department of State released summaries of two reports requested by EO 13800. Again, these reports appear to continue and develop existing themes in the U.S. Government’s cybersecurity approach – in particular, as seen in the 2011 International Strategy for Cyberspace, calls for increased U.S. government engagement with international and domestic partners to address the growing cyber threat. These reports come despite the downgrading by former Secretary of State Rex Tillerson of the State Department’s Office of the Coordinator for Cyber Issues that oversaw the reports, as well as the changes in cybersecurity leadership at the White House.
In particular, according to the summary, the first report, titled Protecting American Cyber Interests Through International Engagement, is focused on “strengthening coordinated U.S. government cooperation with foreign partners and allies to address shared threats in cyberspace, thereby improving the cybersecurity of the nation.” In order to do so, the report lays out five objectives and a series of corresponding actions for each objective, including:
- increasing international stability by promoting “international commitments regarding what constitutes acceptable and unacceptable state behavior in cyberspace from all states and how international law applies to cyberspace, developing cyber confidence building measures, and “promoting a new cooperative framework in support of cyber deterrence”;
- disrupting and deterring malicious cyber actors and enhancing resilience by, among other things, enhancing information sharing and military and law enforcement cooperation;
- upholding “am open and interoperable Internet where human rights are protected and freely exercised and where cross-border data flows are preserved” by, among other things, finding civil society organizations that support Internet freedom;
- maintaining “the essential role of non-governmental stakeholders in how cyberspace is governed” by, among other things, supporting the existing multi-stakeholder governance of the Internet; and
- advancing an “international regulatory environment that supports innovation and respects the global nature of cyberspace” by, among other things, rejecting “undue market access restrictions, including data localization requirements” and maintaining a strong system for protecting intellectual property.
Based on the released summary, the second report, Deterring Adversaries and Better Protecting the American People From Cyber Threats, asserts that “a fundamental rethinking” is required to develop “[s]trategies for deterring malicious cyber activities,” which are increasingly state-sponsored and fall below “the threshold of the use of force.” To respond to these, the Report recommends that the United States should, working with likeminded partners when possible, impose consequences on foreign governments responsible for “significant malicious cyber activities aimed at harming U.S. national interests.” According to the summary, “[k]ey elements” to the U.S. approach will include (1) creating a policy for when the U.S. will impose consequences; (2) developing a range of consequences; (3) conducting policy planning for imposing these consequences; and (4) building partnerships.
OMB Report. In response to a tasking in EO 13800 and consistent with a longstanding focus on the security of federal networks, OMB, working with the Department of Homeland Security, reviewed the cyber programs of 96 federal agencies. The final Report on this assessment found that 12 agencies of the 96 agencies had “high risk” programs, meaning that their cybersecurity tools were not implemented or sufficiently deployed. Additionally, 59 of the 96 agencies had programs that were “at risk,” meaning that “significant gaps” left the agencies vulnerable.
Generally, the Report appears to provide some indication of best practices in large organizations. The Report identified four “core actions that are necessary to address cybersecurity risks across the Federal enterprise”:
- “Increase cybersecurity threat awareness among Federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks;
- Standardize IT and cybersecurity capabilities to control costs and improve asset management;
- Consolidate agency SOCs to improve incident detection and response capabilities; and
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.”
DOE and DHS Assessment. Additionally, on May 30, 2018, DOE and DHS released a final joint assessment of U.S. incident response capabilities with respect to electricity disruptions (the “Assessment”). The Assessment addresses the critical public risk of prolonged power outages resulting from cyberattacks, and concludes that the U.S. is “well prepared to manage most electricity disruptions, though there are particular areas where catastrophic considerations and emerging threats reveal capability gaps against cyberattacks.” The Assessment outlined five main factors that may complicate a response to an incident:
- The possibility of no-notice events that prevent preemptive measures, restorative plans, and the activation of key personnel;
- Unpredictable system responses;
- The length of time required to perform system diagnostics following an incident;
- The “additional expertise in cybersecurity, ICS, and other potentially impacted segments of grid operations;” and
- The inability of current systems to fully support restoration.
To combat these factors, the Assessment recommends that public and private stakeholders engage in (1) plan distribution that details coordination processes and approaches for managing a “long-term power outage event;” (2) information sharing across sectors, (3) cross-sector coordination for incident response; and (4) training and exercises for both government and industry employees.
* * * * *
Overall, the recent reports issued by the Trump Administration are further evidence that, while Administrations can change, the growing cyber threat – and the policies and actions that are necessary to address it – continue to persist.