A cyberattack is sweeping the world, infecting thousands of computers and demanding their owners pay a ransom or risk losing all their data. The threat, which has affected the FedEx shipping company, several hospitals in the UK, a major Spanish telecommunications company, and many more, makes even more urgent the need to improve U.S. cybersecurity – both within the federal government and throughout our internet-connected society.
President Trump’s new executive order on cybersecurity for federal computer networks and key elements of the country’s infrastructure – such as the electricity grid and core communications networks – builds meaningfully on the work of the Obama administration. It focuses on matters of common and bipartisan concern, meaning it is likely to avoid the disquiet and disorganization generated by other recent executive orders.
Cybersecurity is ultimately an exercise in risk management. Given the range of possible threats and the pace at which they may appear, it is impossible to protect everything, everywhere, all the time. But it is possible to make sure that the most valuable resources (such as particular networks and systems, or specific data) are properly protected by, at minimum, good cyber-hygiene – and ideally, more.
The executive order seeks to do just that, by calling on Cabinet secretaries and the heads of other federal agencies to follow the Framework for Improving Critical Infrastructure Cybersecurity, created by the National Institute of Standards and Technology under the Obama administration. That framework also figures prominently in the final report of Obama’s Commission on Enhancing National Cybersecurity.
Three key topics of the executive order are of particular interest because they suggest significant new developments in the federal government’s approach to cybersecurity. The order rightly highlights cyber-deterrence, the process of discouraging prospective attackers from actually trying to breach our systems. In addition, the order correctly identifies the electricity grid as needing stronger security – as well as the military’s warfighting capabilities.
Stepping up cyber-deterrence
One crucial element that has been largely missing from American cybersecurity efforts so far is cyber-deterrence. Just as nuclear deterrence let countries with nuclear weapons know that launching a nuclear attack would mean their own swift and sure destruction, cyber-deterrence involves making clear to prospective adversaries that attacks will either be too unlikely to succeed, or will be met by certain and severe retribution.
The executive order asks a wide group of senior government officials – the secretaries of Commerce, Defense, Homeland Security, State and Treasury, plus the attorney general, the government’s top trade negotiator and the director of national intelligence – to develop options for deterring cyber-adversaries (without specifying any in particular).
Deterrence must, by nature, be multi-dimensional: It has to include a variety of obstacles to incoming attacks, as well as potential consequences for attackers. Coordinating diplomacy, military and economic efforts will be crucial to presenting a unified front to would-be adversaries.
This is not to say that a one-size strategy will fit all. To the contrary, besides a robust general posture, the U.S. must also tailor its specific deterrence efforts to make sure they are effective against individual potential adversaries.
Protecting the grid and the military’s warfighting capabilities
The executive order also calls for additional protection of the electricity grid against cyberattacks. The potential is not hypothetical: Ukraine’s grid was attacked twice, in December 2015 and December 2016.
And it calls attention to the military’s industrial base, including its supply chain – which collectively produces, delivers and maintains weapons systems and component parts that are necessities for the Department of Defense. A successful cyber-attack on key suppliers could hamstring America’s armed forces as much as a physical incursion against them on the battlefield.
Yet, as important as it is to identify and remedy existing vulnerabilities, the better course is always to design computer systems securely in the first place. The executive order focuses more on the former than the latter, since we must work with the capabilities and equipment we have, rather than just those we would wish to have.
More generally, the executive order discusses and reinforces the basic principles of good cyber-hygiene. For instance, it emphasizes the significant risks to departments and agencies, and the citizens they serve, if known vulnerabilities remain unrepaired. For instance, without proper protections, taxpayer records, Social Security data and medical records could be stolen or fraudulently altered.
Sadly, this is a vital issue. Recent testimony from the Government Accountability Office documents the widespread problems government agencies have failing to install routine security upgrades and even using software so outdated the company that created it no longer supports it.
But the executive order also looks to a future federal government that takes advantage of cloud computing and the Internet of Things. The document not only calls for safeguarding existing networks and data; it declares the importance of systematic planning for future technological upgrades and advances, to manage risk effectively. Maintenance and modernization both matter, and both must be done securely.
Overall, the order is a solid document, with guidance that is both measured and clear. Key to its success – and ultimately to the country’s security in cyberspace – will be the relationship the government builds with private industry. Protecting the country won’t be possible without both groups working in tandem.
Frank J. Cilluffo, Director, Center for Cyber and Homeland Security, George Washington University and Sharon L. Cardash, Associate Director, Center for Cyber and Homeland Security, George Washington University