view counter

CybersecurityNew executive order on cybersecurity highlights need for deterrence, protection of key industries

By Frank J. Cilluffo and Sharon L. Cardash

Published 12 May 2017

President Trump’s new executive order on cybersecurity for federal computer networks and key elements of the country’s infrastructure – such as the electricity grid and core communications networks – builds meaningfully on the work of the Obama administration. Cybersecurity is ultimately an exercise in risk management. Given the range of possible threats and the pace at which they may appear, it is impossible to protect everything, everywhere, all the time. But it is possible to make sure that the most valuable resources (such as particular networks and systems, or specific data) are properly protected by, at minimum, good cyber-hygiene – and ideally, more. Overall, the order is a solid document, with guidance that is both measured and clear. Key to its success – and ultimately to the country’s security in cyberspace – will be the relationship the government builds with private industry. Protecting the country won’t be possible without both groups working in tandem.

President Trump’s new executive order on cybersecurity for federal computer networks and key elements of the country’s infrastructure – such as the electricity grid and core communications networks – builds meaningfully on the work of the Obama administration. It focuses on matters of common and bipartisan concern, meaning it is likely to avoid the disquiet and disorganization generated by other recent executive orders.

Cybersecurity is ultimately an exercise in risk management. Given the range of possible threats and the pace at which they may appear, it is impossible to protect everything, everywhere, all the time. But it is possible to make sure that the most valuable resources (such as particular networks and systems, or specific data) are properly protected by, at minimum, good cyber-hygiene – and ideally, more.

The executive order seeks to do just that, by calling on Cabinet secretaries and the heads of other federal agencies to follow the Framework for Improving Critical Infrastructure Cybersecurity, created by the National Institute of Standards and Technology under the Obama administration. That framework also figures prominently in the final report of Obama’s Commission on Enhancing National Cybersecurity.

Three key topics of the executive order are of particular interest because they suggest significant new developments in the federal government’s approach to cybersecurity. The order rightly highlights cyber-deterrence, the process of discouraging prospective attackers from actually trying to breach our systems. In addition, the order correctly identifies the electricity grid as needing stronger security – as well as the military’s warfighting capabilities.

Stepping up cyber-deterrence
One crucial element that has been largely missing from American cybersecurity efforts so far is cyber-deterrence. Just as nuclear deterrence let countries with nuclear weapons know that launching a nuclear attack would mean their own swift and sure destruction, cyber-deterrence involves making clear to prospective adversaries that attacks will either be too unlikely to succeed, or will be met by certain and severe retribution.

The executive order asks a wide group of senior government officials – the secretaries of Commerce, Defense, Homeland Security, State and Treasury, plus the attorney general, the government’s top trade negotiator and the director of national intelligence – to develop options for deterring cyber-adversaries (without specifying any in particular).