The actions in the president’s new executive order on cybersecurity are narrowly focused, best seen as small steps–the latest in a fifteen-year parade of five different White House documents across three presidencies. These actions are worthwhile on their own, but are only a small step as executive orders do not create policy, just implement it through new actions.
The new cybersecurity actions are accordingly limited, targeted on improving only critical infrastructure, still unlikely to make a significant dent in America’s long term cyber problems, unless backed by far more sustained attention than previous efforts.
Understanding the Cybersecurity Executive Order
The new actions from the president include:
· More sharing of threat information:
o The intelligence community, the Department of Homeland Security, and law enforcement produce timely unclassified versions of all reports of cyber threats to the US homeland and for DHS to get these into the right hands. DHS will also rush to get more security clearances for critical infrastructure owners and operators.
o The Department of Defense (DoD) will expand voluntary participation in its Enhanced Cybersecurity Initiative (that is, the existing DoD partnership to share information with the defense industrial base).
· New partnership council:
o DHS will establish a Critical Infrastructure Partnership Advisory Council (CIPAC) to coordinate improvements in infrastructure cybersecurity.
· More risk measurement and mitigation:
o NIST will coordinate development of a framework to reduce cyber risks to critical infrastructure, the Cybersecurity Framework, which DHS will then push with Sector Specific Agencies (such as Treasury for the finance sector) for voluntary support from critical infrastructure sectors.
o DHS will use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic incident.
Though worthwhile, these actions will get nitpicked by analysts, commentators, and trolls–including me.
Some criticism is fair. Collectively these actions won’t fix America’s cybersecurity problems and there are flaws in each action. There are longstanding bureaucratic impediments for information sharing which have proven incredibly hard to tear down and even the DoD’s vaunted sharing program has been reported as having limited positive impact. Moreover, President Clinton in 1998 set up the National Infrastructure Advisory Council which seems similar to the new CIPAC. Most commentators will eye-roll with the introduction of yet another risk framework and none of these actions will easily scale across US critical infrastructure, much less the whole private sector.
Critics however should accept these are limited actions for a limited set of problems and in that light, will make a positive difference.
Unfortunately, the White House perhaps created its own problems here, as the long, sometimes hyped, built expectations for a meatier proposal. This was to be the administration’s alternative to the failed attempts from Congress at comprehensive legislation, so the limited scope will strike commentators like a letdown, not the promising start of several new initiatives.
A Familiar Set of Actions
To understand the frustration over limited actions, here are the words of the president, words that set out a lofty goal:
No later than … five years from today the United States shall have … the ability to protect the nation’s critical infrastructures from intentional acts that would significantly diminish the abilities of the Federal Government to perform essential national security missions and to ensure the general public health and safety; state and local governments to maintain order and to deliver minimum essential public services; and the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services.
Unfortunately, that was Clinton in his PDD-63 of 1998. This year, rather than releasing a limited executive order, America should be celebrating the tenth anniversary of our achieving that goal, in 2003.
But instead of enjoying the fruits of that success, instead President Bush in 2003 had to release two cyber policy documents, HSPD-7 and the National Strategy to Secure Cyberspace. They laid out similar goals and actions (though all after them, they avoided specific dates for completion). President Bush created the (still classified) Comprehensive National Cybersecurity Initiative in 2008, with similar goals to its predecessors but focused largely on the US government. This effort was kept in place by Obama, who added his Cyberspace Policy Review of 2009 and also added the International Strategy for Cyberspace, which largely avoided domestic cybersecurity issues. Alongside this new cybersecurity executive order, Obama also just released an update of HSPD-7.
Over fifteen years, the goals and actions in these policies are largely interchangeable. Despite the marginal improvements from each, we are still in similarly dire straits as fifteen years ago. Indeed, to hear many government officials and private sector executives, we have only fallen farther behind. If fifteen-year old policies seem fresh, then those actions did not work and the government did not meet the president’s goals. Serious policy analysts must ask, what did we do wrong? What should we do better now, to create real change?
Breaking the Cycle
The new cyber executive order is a set of limited actions for a limited, but critical problem, the security of US critical infrastructure. The White House should be congratulated for this small step and officials there promise more new cyber policies in the months ahead.
Now they need to focus on a true cyber strategy, one that moves into giant leaps with actions that will scale, not only in the United States but across the world. A small amount of effort must achieve outsized results. The Scandinavian countries have started to achieve this locally, through policies such as having Internet Service Providers quarantine computers with obvious malware. This could work here as well and, with similar policies, might start to yield new results.
US cybersecurity policy is now suffering from diminishing returns. Resources will continue to pile into programs only to find the same problems as 1998. If policymakers want to make real progress to reduce America’s vulnerabilities, they will sometime have to issues policies that are a break with the past.
Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict, and competition on Twitter @Jason_Healey.