More than a third of the White House National Infrastructure Advisory Council (NIAC) has given President Donald Trump a failing grade on cybersecurity. But before that, they had a hand in a draft cybersecurity plan that could improve that grade.
A group resignation, which reduced the council from 28 to 20 members last week (three were Obama administration holdovers), came with a resignation letter protesting what the outgoing members said was Trump’s “disregard for the security of American communities”.
Much of their focus was on moral and environmental issues – what they said was Trump’s failure to “denounce the intolerance of hate groups,” after the violence in Charlottesville, Va., and his withdrawal from the Paris climate agreement.
But they also cited “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process”.
They’re not the only critics. Sen. John McCain (R-AZ), chairman of the Senate Armed Services Committee and a regular critic of the president, recently had harsh things to say about both Trump and his predecessor, President Obama, when it comes to their leadership on cybersecurity.
Speaking at the Arizona State University Congressional Conference on Cybersecurity Conference last Wednesday, McCain said that as America’s enemies “seized the initiative in cyberspace, the last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan.”
All of which is true, but all of which is not the whole truth. Trump has indeed been late – quite late – on promises regarding cybersecurity. He promised an executive order on it within weeks of his inauguration, and was reportedly due to sign it in late January, but it was delayed until May 11.
That order, however, did provide some specifics – it instructed federal agencies to implement the NIST Framework for Improving Critical Infrastructure.
It got mixed reviews from cybersecurity experts. Jacob Olcott, vice-president at BitSight and former legal adviser to the Senate Commerce Committee and counsel to the House of Representatives Homeland Security Committee, said it was “smart policy and a big win for this administration”.
On the other side, Daniel Castro, vice-president of the science- and tech-policy think tank Information Technology and Innovation Foundation (ITIF), called it “mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country needs to address its most pressing cyberthreats”.
But such a plan could be in the works if the administration acts on a draft report approved just a couple of weeks ago by the NIAC, prior to the resignations.
The report, titled “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure“, is based on “the review of hundreds of studies and interviews with 38 cyber and industry experts, (which) revealed an echo chamber, loudly reverberating the enormity of the challenge and what needs to be done”.
It says that while both government and the private sector have
… tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks … today we’re falling short. Cyber capabilities and oversight are fragmented, and roles and responsibilities remain unclear. We’re simply not organized to keep up with the threat.
The report declares that “there is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack to organize effectively and take bold action”.
And that is followed by 11 recommendations, which include:
- Establish separate, secure communications networks, specifically designated for the most critical cyber networks.
- Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies.
- Identify best-in-class scanning tools and assessment practices, and work with owners of critical networks to scan and sanitize their systems.
- Strengthen today’s cyber workforce by sponsoring a public-private expert exchange program.
- Streamline and expedite the security clearance process for owners of the nation’s most critical cyber assets.
- Rapidly declassify cyber threat information to share it with owners and operators of critical infrastructure.
- Create a task force of experts in government and the electricity, finance and communications industries, to act on the nation’s top cyber needs with the speed and agility required by escalating cyberthreats.
All of which sounds a lot like a plan.