We Don’t Need More Reports on Cybersecurity. We Need Action.
President Trump issued an executive order on cybersecurity this week, a much-anticipated document that he set in motion soon after his inauguration with the promise that it would go far toward solving the urgent problem that has stymied his predecessors.
Given the universal awareness of hacking as a problem that endangers our society, economy, military might, and—after the 2016 election—our democratic politics, you would think that an executive order of this sort would lay down serious rules, guidelines, and penalties for evasion.
In fact, the order, titled “On Strengthening the Cyber Security of Federal Networks and Critical Infrastructure,” signed on Thursday (long after its original deadline of Jan. 31), is a feeble mishmash—a few good ideas backed by no money or mechanism to turn them into practice, followed by a call for several reports the likes of which have been gathering dust in the archives of past five presidents.
Finally, even if Trump’s order were brilliantly designed and easily implemented, it would address only a small slice of the problem.
One of the order’s good ideas is a provision holding Cabinet secretaries and agency directors “accountable” for ensuring that their department’s computers and software are up-to-date and secure. This is a genuine improvement over current policy, which pins the credit or blame on the information technology chiefs several layers down in the bureaucracy.
But two vital matters go unaddressed here. First, it’s unclear what “accountable” means. Let’s say that the State Department’s embassy in Togo continues to run its computers with Windows 95. Does Rex Tillerson get fired, publicly humiliated, or otherwise called to the Oval Office mat? If not, this task is certain to rank very low in any Cabinet secretary’s priorities. And if the secretaries aren’t taking responsibility, then who will? Trump has left his departments bereft of second- and third-tier personnel, having not yet nominated any deputy, under-, or assistant secretaries of state or defense.
President Obama, in his last year, signed an executive order that among other things, created a Chief Information Security Officer for the entire federal government—an excellent idea in principle, except that the order gave this officer no power to set budgets, to fire and hire personnel, or to tell the miscreants in Togo, “I’m taking you off the internet and you’re not getting back on until you update your equipment and take the following steps.”
This criticism may sound picky, but it lies at the heart of the problem. As Richard Clarke, who drafted several executive orders on cybersecurity for Presidents Bill Clinton and George W. Bush, once put it, “Government is 10 percent policy, 90 percent implementation.” Without an order specifically empowering an individual to do what needs to be done, broad executive orders are little more than gestures.
Another missing ingredient is money. It costs a lot of money to buy new computers, to train personnel in effective security protocols, and to monitor actual practices. Obama’s order called on Congress to authorize $3.1 billion for an Information Technology Modernization Fund. Congress never funded it. Trump’s order doesn’t mention money. There’s loose talk on Capitol Hill of creating something like Obama’s fund, but advocates are proposing sums on the order of $200 million—not nearly enough.
Finally, the main goal of the order—to update IT systems in federal agencies, the military, and industries involved in critical infrastructure (banking and finance, transportation, energy grids, dams, etc.)—addresses only a small part of the problem. Yes, too many of these entities are using outmoded hardware and software; too many of their workers don’t follow, or often aren’t aware of basic cyberhygiene. But the much bigger problem is that even up-to-date systems are vulnerable. Take, for instance, Friday’s massive ransomware attack on hospitals in several countries, which was based on the cybertheft of the National Security Agency’s hacking tools. Another problem is that the regulations governing the commercial internet are far too skimpy, in many cases nonexistent.
Chris Wysopal, chief technology officer at Veracode, a New England–based cybersecurity firm, notes the grave insecurities in the supply chain of software that goes into systems used by government agencies and critical infrastructure. “What is the point of modernizing IT so it is more secure,” he asks, “if you don’t hold vendors accountable for delivering technology that is more secure out of the gate and is easier to maintain securely?” This is particularly true of software in the expanding sphere known as the Internet of Things, which could allow household products to be hijacked as bots in massive denial-of-service attacks, shutting down large critical-infrastructure networks.
In the late 1990s, when cybersecurity first rose to the fore as a politically prominent issue, some officials tried to impose mandatory security requirements on critical-infrastructure companies. But these proposals were blocked by corporate executives and their allies in the Treasury and Commerce departments. Some officials also proposed creating a parallel internet for government agencies, and perhaps eventually for critical infrastructures, which would be wired to a federal agency empowered to monitor and repel cyberintruders. This proposal was denounced as “Orwellian” by several members of Congress, and it was swiftly dropped.
Yet these proposals hint at the sorts of actions that need to be taken if the problem is to be seriously addressed, much less abated. Trump’s executive order notes these wider problems, but it merely calls on various agencies, officials, and entities to prepare reports on how to deal with them; the words “report” or “reports” are mentioned 27 times.
Yet very similar reports have been called for and written—sometimes acted upon but more often ignored—over and over these past 30 years.
Under President Ronald Reagan, there was National Security Decision Directive No. 145, “National Policy on Telecommunications and Automated Information Systems Security.” Under Clinton, there was “Critical Foundations,” a 154-page report by the President’s Commission on Critical Infrastructure Protection,” followed by Presidential Decision Directive No. 63 (“Critical Infrastructure Protection”) and a 159-page document called “National Plan for Information Systems Protection: Defending America’s Cyberspace.” President George W. Bush signed a 60-page “National Strategy to Secure Cyberspace.”
President Obama initiated a 12-plank Comprehensive National Cybersecurity Initiative, resulting in a 72-page paper called “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure.” This was followed in his second term by three documents: an executive order titled “Improving Critical Infrastructure Cybersecurity;” a “Cybersecurity National Action Plan;” and left on Trump’s doorstep just days before the transition, a report by the President’s Commission on Enhancing National Cybersecurity. And this list doesn’t include dozens of other reports by various panels of the Defense Science Board, the National Academy of Sciences, and other august assemblies.
In other words, the time for reports is over. Every idea that might be discussed has already been discussed. If Trump wants to do something meaningful, laws have to be laid down, regulations enforced, vested interests busted. Even then, there will still be hackers, and not all the holes will be plugged. But there are serious actions that have been proposed in the past and that might still be taken. The trick is for someone to take them.