Whether you’re a critic or a fan of the Executive Order (EO) released out of the White House last week, at least the Administration took a leadership role and a step in the right direction by addressing the serious issue of defending US companies and government agencies against cyber attacks on the digital battlefield. Given the collapse on the legislative front by Congress and the realization that something needs to be done, at this point, something is better than nothing. The Administration should be applauded for the EO that puts the spotlight on cybersecurity. Briefly, let’s summarize what the Executive Order (EO) accomplishes:
- The EO acknowledges that we are in a state of information warfare at the nation-state level and that this represents a clear and present danger to the United States.
- Authorizes the development of a NIST-led cybersecurity framework initiative for the benefit of the private sector in developing best practices, including a timeline and an assessment/reporting requirement.
- The EO opens information sharing between the federal government and private sector with the goal of assisting and reducing cyber risk to critical infrastructure.
- It expands government programs to include more private sector subject-matter experts working in federal service on a temporary basis.
- The EO ensures that privacy and civil liberties protections are considered by the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS), who will assess the privacy and civil liberties risks of the programs undertaken.
- Under the EO, DHS will develop consultative relationships with Critical Infrastructure Partnership Advisory Councils (CIPACs).
- Under the EO, the US Office of Management and Budget (OMB) and National Security staff, including regulatory agencies, will determine whether the cybersecurity framework is in need of more regulation to protect critical infrastructure. If it is determined current regulation is insufficient, they are authorized to develop additional regulations on a risk basis to meet the desired outcomes.
So what has been industry’s sentiment regarding the EO thus far? It’s a good start other than a few critical areas that have gone unaddressed.
From (ISC)²’s perspective, the workforce is one of those critical areas that is missing. For a field whose workforce is far overtaxed to the point where there is little to no unemployment, funding for training and education of the cybersecurity workforce is mandatory. The Administration should have addressed this, along with the other critical workforce issues, and at the very least authorized funding for scholarships in the field as outlined in the failed Cybersecurity Act of 2012.
Moving forward, what should we be concerned about? The EO is voluntary unless it is deemed as unable to reach its goals as determined by the government, at which time regulations may be enhanced. Companies meeting the goals toward improving protection should be incentivized. It is unfortunate that EO's cannot provide for that.
Should government be the authority on judging how well the goals outlined in the EO are being met, or should private industry play that role? As with any EO or legislation, only time will tell how well implementation is carried out and whether goals are met.
Marc H. Noble, EWB Member and (ISC)² Director of Government Affairs, was lead author of this peer-reviewed post