Managing the Risk of Cyber Security: The Trump Administration’s Executive Order

The government can’t just report or “risk manage” its way to good cybersecurity.

By Brandon Valeriano and Ryan Hagemann

In the movie The Graduate, Dustin Hoffman gets some sage advice from a family friend. The best way to manage his future? “One word: plastics.” No further explanation is necessary. It’s self-explanatory: everything is going to be about plastics. The future is plastics. His future is plastics. The Trump Administration’s approach to cybersecurity is much the same.

Instead of plastics, however, the future of cybersecurity is “risk.” The Administration’s recently released executive order (EO) on cybersecurity mentioned the term “risk management” 16 times and “risk” 32 times. Why is risk so critical to cyber security? The National Institute of Standards and Technology (NIST) produces guidelines that serve as a critical conduit for managing the government responses to cybersecurity incidents. Mr. Trump’s EO mandates that all agencies follow NIST guidelines on cybersecurity.

By focusing on the process of identification, protection, detection, response, and recovery, NIST guidelines form a baseline for the process of defending the nation from cyber threats. That process is focused on minimizing risk. Though it’s important that we aim to mitigate and manage risk in cyberspace, this EO’s actual prescriptions for accomplishing those goals little worthy of praise.

While the NIST guidelines offer prudent suggestions for minimizing the impact of cyber threats — and provide a guideline of how to recover from attacks — they offer little functional guidance. Additionally, the Commerce Department’s write up on implementing NIST guidelines offers no practical advice on how to solve the overarching problems associated with cybersecurity. Instead, the Department takes a page from the Trump Administration’s cybersecurity strategy playbook and mentions “risk management” a staggering 114 times. Bear in mind that this is a 30-page document (supplemented by references, a glossary, and some neat pyramid figures) that provides little to no technical guidance on suggested hardware or software for securing agency systems. Instead, the document focuses on how to better “organize the risks [agencies] have accepted and the risks they are working to remediate across all systems.”

As opposed to the recently released advice for identity and password protection, the NIST framework for cybersecurity risk management is a hodgepodge of convoluted business school speak that offers no real solutions to the problems confronted by federal agencies in cyberspace. The Internet ecosystem is plagued by nefarious ransomware attacks, such as the most recent WannaCry pandemic, hostile third party actors like the Shadow Brokers and WikiLeaks, and a host of other malicious tools filtering into the digital ether.

Now is the time for real and substantial action, not a series of organizational management reports that continue kicking responsibility down the road. Unfortunately, Mr. Trump’s cybersecurity EO fails to deliver.

Instead, the President’s EO charges all of the 440 federal agencies with conducting a risk management assessment and undergoing a NIST review. Once completed, the Office of Management and Budget and Homeland Security directors are required to submit their own report summarizing and evaluating each of the other agencies’ initial reports. On top of this, the federal government must deliver reports on: how it intends to modernize federal information technology processes; the risks to critical infrastructure; how to promote transparency throughout the federal government; the threat posed by botnets, electricity disruption, the defence industry base and supply chain; deterrence options; efforts on promoting international cooperation; evaluations of domestic and foreign workforce developments; and both assessing and also increasing cyber capabilities.

If you leave out each of the individual agency reports, that means that the EO on cyber security requires 12 reports be written, processed, and evaluated all within a year. This is a tepid response in the face of enormous challenges posed by the digital landscape. Now is the time for bold action and solutions, starting with upgrading the government’s IT hardware. It is unsustainable and irresponsible that agencies still uses Windows XP and want for talent and expertise. Seventeen years into the new millennium and the government still lags years behind the private sector in IT deployment and modernization — that needs to change, and fast.

The most important report required by Mr. Trump’s EO is focused on identifying practices to enhance the federal cybersecurity workforce. Talent is the most critical and valuable asset any organization has in determining how to manage cybersecurity dilemmas. The unfortunate reality of the modern age is that the very digital systems we now rely so heavily upon remain consistently vulnerable to attacks. Dedicated experts remaining constantly vigilant in the face of changing threats are needed now more than ever. Until the government gets serious about incentivizing top tier talent to join its understaffed ranks of IT specialists and security engineers, it will be increasingly vulnerable to emerging threats from black hat hackers, cybercriminals, and foreign actors.

All this Administration’s reports and high level strategic organizing will mean nothing without a capable workforce capable of implementing technically advanced defense measures, securing our infrastructure, and integrating cyber capabilities into national defence.

Originally published at niskanencenter.org on May 16, 2017.