What the Executive Order says
Executive Order 13800 is entitled "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure." It has 5 sections and is unusually long, running 7 pages in the Federal Register.Section 1
This section defines the policy which is described in the first subsection as risk management at both the agency and department level as well as at the overall executive branch level due to the interdependent nature of the Information Technology (IT) infrastructure. The next subsection defines the rationale for needed action. This consists of relatively vague criticisms of how poorly it has been done in the recent past. Point (v) though is a good statement and this really should have been part of the policy statement.1(b)(v) Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.IT exists at the nexus of technology, privacy and service delivery. The listed aspects have all need to be balanced in a suitable way. When something happens, it often generates scary headlines and there is a communications function to this EO to provide confidence to citizens that there is seriousness in government to assure that systems work and that they and the data they handle are secure.
The next subsection is entitled "Risk Management". This provides some direction to heads of Agencies, first and foremost stressing that they are responsible for assessing risks and assuring that adequate resources are provided to be able to reduce the risks to acceptable levels. There is a requirement for each Head to provide a risk management report within 90 days and then goes on to describe what is required to be in the report. Upon receipt of the report, the Secretary of Homeland Security and the Director of the OMB shall review the report to see if the risk levels and mitigation plans are adequate. A summary of the agency reports will be compiled into a report to the President. This applies to classified systems as well as unclassified ones. 1(c)(vi)(A) implies that solutions need to be selected with the potential to deploy them across multiple agencies if possible. 1(c)(vi)(B) requests a second report to the President on whether we can just simply buy and deploy a new set of computers on a single huge network based on the assumption that newer is always better.
1(c)(vi)(C) gives "National Security Systems" an allowance for being exempt from the requirements of the EO if it can be justified in some way.
Section 2
This section discusses cybersecurity of critical infrastructure, for example the electrical grid and power stations. This directs that it is considered how Government can support private industry and provide that in a report and update the report annually. Subsection (c) calls for a review of policies and practices and the report could well suggest additional regulation. The next subsection focus on Distributed Denial of Service attacks and a separate report on these is requested. The next section specifically looks at vulnerabilities in the electrical distribution system and requests a report on that. The last subsection focuses on defense industries, their supply chain as well as military systems and yet another report is requested.Section 3
This section starts with a policy statement that internet availability for all is good. It then goes on to look at options for deterring adversaries, international cooperation and workforce development. Various reports are generated on these topics.Section 4
This section provides definitions for "appropriate stakeholders", "information technology", "IT architecture" and "network architecture". It is not clear why this was not at the beginning of the EO and got stuck at the end.Section 5
This section contains the usual legal fine print to assure the constitutionality of the EO.My commentary
Reading through this, it strikes me that there is no one that has a big picture view of where we are. I feel that a lot of what is mandated for reporting is fact-finding, but the kind that is trying to substantiate hunches which might be the kernel of a different plan already hatched but realized to be sufficiently controversial such that justification needs to be generated. In the press, there has been much discussion of exploited vulnerabilities, often situations where it was the users rather than some system flaw that was exploited to gain access, read files and wreak the ensuing havoc.Having or creating an overarching IT strategy for the government and using the tools available to government, including regulation, to have sufficiently secure, reliable and usable IT systems is a laudable goal. However, reaching that goal, and if we are to infer things from this EO and media headlines, is going to take money, people, time and enforcement of rules to a much greater extent than what one might believe from the messaging so far: "It will be great, we'll get it done quickly and you will never have to worry about it again."
While diversity can be an obstacle in some senses, it also has to be recognized as a part of defense in depth for IT systems. Common-mode failures can affect the entirety of a homogenous system. If the interfaces can be constructed adequately, having a granular network structure that has firewalls between segments which contain some amount of diversity, diversity could be an effective way to contain issues provided the overhead of implementation does not break the usability or maintainability of the systems involved.
It seems to me that consideration should be given to the establishment of a new department of the Executive branch with overarching responsibility for IT deployment and support. There is mention in the EO promoting information sharing. This could be made unnecessary through a central function. Ultimately, if no such Department of IT is established, it should be a major agency within one of the existing departments but with a branch level mission and sufficient authority to guide and direct all IT activities in the Executive branch, if not all three branches.
Dialogue and cooperation with the private sector, whether that is critical infrastructure or defense industry does have some risks. For example, does it create moral hazard in private companies getting free consulting from the government on IT systems design, deployment and maintenance? Alternatively, close cooperation with a large software or hardware firm can lead to corruption and the appearance of bias or favoritism for procurement. Hopefully the appropriate people assure that these concerns are addressed during the report writing stage when they look at recommendations for any proposed cooperation with the private sector.
No comments:
Post a Comment