A proposed White House cybersecurity policy would empower the federal government to take a greater role in protecting the nation’s digital infrastructure, much of which is in private hands.
But a draft copy of an executive order on the issue is also notable, observers say, because beyond its calls to “decisively shape cyberspace” it diminishes the role of once-key players, such as the FBI, and makes no mention of protecting election systems.
Nor does it go as far as the Republican Party platform approved last July, which sought to enshrine the right of citizens to “hack back” and take other offensive digital measures.
The draft executive order declares the internet “a vital national resource,” assigns the executive branch the role of guarding crucial private and public networks, and sets out 60-day and 100-day timetables to determine vulnerabilities, identify the nation’s major cyber adversaries and design incentives for private companies to adopt better practices.
Once a security review is done, the draft calls on the secretaries of defense and homeland security, along with the chief of the National Security Agency, to identify areas where the U.S. government needs to focus to ensure “long-term cyber capability advantage.”
“Compared to other recent orders, this one is fairly tame,” Charley Snyder and Michael Sulmeyer wrote Monday on the Lawfare blog, which focuses on national security law.
The two authors, both associated with the Cyber Security Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs, noted with surprise that no role was assigned to the Federal Bureau of Investigation.
“We are not sure how to explain this, as the FBI and law enforcement secured an important role in cybersecurity early in the Obama administration,” the post noted. “FBI zealously guards its role in investigating malicious cyber activities, and had been given a leading role in Obama-era policies.”
Sulmeyer said in a subsequent telephone interview that he thought the omission of the FBI in the draft was “another case of a slipshod process.”
“It’s like the immigration (executive order) where we hear that (the Department of Homeland Security) didn’t have a chance to look at the thing until the eleventh hour,” said Sulmeyer, a former cyber adviser to the Defense Department.
While the Obama administration focused on collaboration between the public and private sectors for cybersecurity, the Trump administration seeks more legal authorities to protect private networks deemed critical to the nation’s economy and security.
“The federal government has a responsibility to defend America from cyberattacks that could threaten U.S. national interests or cause significant damage to Americans’ personal or economic security. That responsibility extends to protecting both privately and publicly operated critical networks and infrastructure,” says the draft executive order, first published in The Washington Post.
The lack of any mention of how to protect digital election systems also drew some criticism, given allegations by U.S. intelligence agencies of Russian hacking during last year’s U.S. election.
What remains unclear is how far the administration will go to protect private financial networks, email networks run by Google and Microsoft, and other nongovernmental systems.
Many private internet and communications companies are wary of government oversight of their security, partly due to clashes in the past year over privacy issues and federal access to data, Sulmeyer said. Last year, Apple fought a federal court order requiring it to provide the FBI with a “back door” into the iPhone used by Syed Rizwan Farook, one of two perpetrators of a terrorist attack in late 2015 in San Bernardino, California, that left 14 civilians dead.
“At some point, they will have to say something about law enforcement access to data, the whole encryption Apple debate and back doors,” Sulmeyer said. “It’s not clear what the administration’s view of privacy really is.”