Executive Order 13800 on Cybersecurity Policy and Practice

On May 11, 2017, President Trump signed Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The intention was to reduce cybersecurity risks to national security by improving federal agencies’ cybersecurity and information technology (IT) systems.

The executive order holds the heads of federal agencies accountable for their agencies’ risk management practices.

While similar policies were developed for the Federal Information Security Management Act (FISMA), EO 13800 ensures that the executive branch must collaborate to remediate vulnerabilities to maintain the integrity of national cybersecurity.

Executive Order 13800 culminated in the creation of the National Cyber Strategy of the United States of America in September 2018.

While the order reiterates previously established policies, it has helped raise awareness of the importance of cybersecurity at the federal, state, and local levels and throughout the private sector.

NIST and EO 13800

While federal agencies were never total strangers to cybersecurity, once FISMA and EO 13800 were enacted, they had to adhere to the National Institute of Standards and Technology (NIST) Cybersecurity Framework — also referred to as the Framework for Improving Critical Infrastructure Cybersecurity — as opposed to metrics based on NIST methodologies.

The NIST Framework also identifies NIST Special Publications common to the private sector and its development of strong cybersecurity risk management practices.

What Did EO 13800 Establish?

To gather information required to achieve these goals, the President demanded reports and assessments from agency heads, including the Director of National Intelligence, the Secretary of Defense, and heads of the Department of Homeland Security (DHS) and the FBI on the following subjects:

1. International Priorities
2. Foreign Cybersecurity Workforce Practices (with a focus on the US’s cybersecurity competitiveness in the long term)
3. Agency Risk Management and Mitigation
4. Modernizing Federal IT (with support from the Secretary of Commerce and including recommendations for modernization by transitioning to cloud computing and other shared services)
5. Marketplace Transparency
6. Cyber Incident Response to the Electric Sector
7. Cybersecurity Risks to the Defense Industrial Base
8. Cybersecurity Deterrence Options
9. Engagement Strategy for International Cooperation
10. Federal risk Management and Mitigation
11. Modernizing National Security Systems
12. Growing and sustaining the Cybersecurity Workforce of the Public and Private Sectors
13. Strategies to Improve National-Security-Related Cyber Capabilities
14. Support Critical Infrastructure at Greatest Risk
15. Efforts to Reduce Botnet Threats (a preliminary, publicly available report and a final report for the President only, including how the government collaborates with stakeholders in the public and private sectors)

To prioritize cybersecurity in the federal government as a matter of national security, the executive order made the following points:

• Agencies must evaluate risks to information security.
• Identified risks must be reported to the Secretary of Homeland Security and the Office of Management and Budget (OMB).
• The DHS and OMB must work with agencies to identify their vulnerabilities and reduce the federal enterprise's cyber risks.
• Agency heads must procure shared services, including cloud technology.
• Agencies should be transparent to improve awareness and understanding of cybersecurity risks.

EO 13800 Context

It’s important to remember that this executive order was created in the midst of 2018’s rapidly evolving threat landscape, which included electoral manipulation, cyber espionage, and cyber attacks.

The use of cyber attacks to disrupt democratic processes has been felt in the US, the UK, and Germany in recent years with Russian and Chinese manipulation of social media platforms like Facebook and Twitter. Russia’s 2015 cyber attack on Ukraine’s power grid is an excellent example of a cyber attack on critical infrastructure.

The Four Pillars of the National Cyber Strategy

After EO 13800, the Trump administration issued the National Cyber Strategy of the United States of America. This all-encompassing document impacted all parts of the US, from the federal to the state and private sectors.

EO 13800 builds on the work of the Clinton administration, which created the US’s first Information Sharing and Analysis Centers (ISACs) to improve public-private cybersecurity partnerships. It created the Financial Services ISAC in 1999 when seven critical infrastructure sectors had been identified.

The Bush administration saw the creation of the DHS in 2001 and formally addressed cybersecurity risks with directives aiming to provide a robust and long-lasting approach to anticipating cyber threats to national security. The Obama administration supported Clinton’s US Cybersecurity Public-Private Partnership (PPP) and the use of ISACs.

Today, there are 18 recognized critical infrastructure sectors and ISACs. The Automotive ISAC is the latest addition and has signed a Cooperative Research and Development Agreement (CRADA) with DHS to identify and remediate cyber threats to automated vehicles with the help of the private sector.

The four pillars of the National Cyber Strategy are as follows:

Pillar One — Protecting the American People, the Homeland, and the American Way of Life

This pillar focuses on protecting public and private information systems and asserts that the federal and private sectors share the responsibility.

The pillar states that this can be achieved by:

• Using a risk-management approach for vulnerability remediation and enhancing cybersecurity across critical infrastructure entities
• Managing supply chain risk
• Adhering to federal cyber standards
• Using industry-driven certification

Law enforcement is encouraged to work with the private sector to disable botnets and dark markets. The intention was also to modernize surveillance and cybercrime laws, alongside promoting international cooperation to pursue cyber criminals overseas.

Importantly, this first pillar admitted the importance of ICT providers in national cybersecurity and the criticality of balancing security with privacy and freedom. To maintain a secure supply chain in a rapidly evolving cyber threat landscape, it is necessary to work widely with ICT providers, which sometimes means declassifying federal information as far as possible.

Pillar Two — Promoting American Prosperity

The second pillar of EO 13800 states that the technology marketplace must promote best practices and adopt secure technologies.

To help achieve this, the administration aimed to enhance the awareness of cybersecurity best practices to increase market demand for compliant initiatives and innovations.

Part of fulfilling this goal was embracing 5G, artificial intelligence, and quantum computing. These technologies are major disruptors to traditional operations and offer significant efficiency, capability, and creativity enhancements.

Pillar two also acknowledged the need to Improve digital trade through full life-cycle cybersecurity via stronger default security settings, making products upgradeable, and differentiating products according to their security features and the practice used to create them.

Today, this approach would improve some problems with IoT devices. As a consequence of cost-saving efforts and a lack of regulation, IoT devices tend to have poor inbuilt security, including weak default password settings. Furthermore, they cannot typically upgrade their security, making them vulnerable endpoints that pose risks to the networks on which they are used.

A key drive of the second pillar of the National Cyber Strategy was also to develop a stronger cybersecurity workforce in the US. Recognizing the ongoing evolution of cyber threats, the administration identified that it must improve the nation’s preparedness by supporting the creation of a sustainable, trained cybersecurity workforce.

To this end, the National Initiative for Cybersecurity Education was tasked with educating and retraining individuals from secondary to professional levels.

Pillar Three — Preserving Peace Through Strength

The third pillar encourages standardization regarding cyber norms and international law to make cyberspace more predictable and stable.

It determined that the US should lean on US intelligence and the US International Cyber Deterrence Initiative, collaborating with civil society, academics, the private sector, and partnerships with foreign governments to counter cyber espionage, cyber attacks, and other attempts to disrupt or manipulate US information systems.

Pillar Four — Advancing American Influence

The final pillar of the US National Cyber Strategy asks for every US citizen and every organization to work together to improve national security.

It emphasizes that everyone is responsible for the nation’s cybersecurity and that diverse organizations promoting data protection and privacy should work together.

Information-Sharing and Collaboration

One of the main drives and benefits of EO 13800 and the Trump administration’s push to improve cybersecurity was acknowledging the need for information sharing and collaboration. It appeared to give collaborative initiatives more weight than the search for solely technological solutions.

This was a timely observation. Cyber threats evolve rapidly. Technological solutions can help safeguard information systems, but the most effective solution to a rapidly evolving threat is one that can stay up-to-date and evolve, too.

By sharing information about cyber attacks, successful or otherwise, organizations can benefit from up-to-the-minute threat intelligence and protect themselves from new dangers.

The Common Vulnerabilities and Exposures (CVE) list, created in 1999, is an excellent example of information sharing. It provides an online hub where organizations can see known vulnerabilities and begin vulnerability remediation accordingly.

Since most US critical infrastructure is owned and operated by the private sector while regulated by government agencies, public-private collaborations are essential for safeguarding critical infrastructure, federal agencies, and private citizens from cyber threats within the US and overseas, whether politically or financially motivated.

NIST, which is used by a vast number of organizations worldwide, is a strong proponent of collaboration and information-sharing, which was integral to the creation of its Framework for Improving Critical Infrastructure Cybersecurity.

It continues to lead meetings between the government, academics, and industry, while the DHS coordinates a significant amount of public-private sector information-sharing via the ISACs.

This approach, with incentives for cooperation, contributed to the enhanced response capabilities that dealt with the Game Over Zeus botnet. The DHS and FBI worked with actors in finance and business to disable the dangerous botnet, which was supposed to have been responsible for stealing millions of dollars worldwide.

Contrast this with the evident lack of coordination when hacker group “Guardians of Peace” attacked Sony Pictures in 2014, leaking confidential data in what some deemed to be an attack sponsored by North Korea in response to the then-upcoming movie “The Interview” about an assassination attempt on Kim Jong Un.

In addition to reputational damage and the untimely release of confidential intellectual property, Sony suffered an estimated $35 million loss due to stolen emails and documents, destroyed computers, and the cost of repairing the system following the breach.

With advanced information-sharing building on the pre-existing components of ISACs and the Cybersecurity and Information Security Agency (CISA), both private and public sector organizations should benefit from better action plans and faster and more comprehensive responses to cybersecurity incidents.

Review of EO 13800’s Impact on US Cybersecurity Practice

While this presidential policy directive did much to improve the awareness of cyber threats and cybersecurity, organizations have much more to do to safeguard their information systems from existing and emerging threats.

Cyber espionage, the manipulation of political processes by insiders and nation-state-sponsored hacking groups, and the potential for attacks on critical sectors are all firmly on the map. However, while information-sharing initiatives have helped improve response teams to cyber incidents, many businesses are still exposed due to known issues, such as:

• Legacy software
• Lack of documented information security policies
• Misconfigurations
• Use of new technology without adequate consideration of attack surface management
• Third-party risk
• Supply chain risk

In addition to putting cybersecurity on the map — with the help of some major cyber incidents, of course —  EO 13800 also significantly improved how organizations share information and work together to combat cybercrime.

Importantly, EO 13800 also made agency heads accountable so that the Department of Defense and other critical infrastructure operators and owners could not remain unprepared for the increasing risks in cyberspace.