The federal government’s overall philosophy for approaching cybersecurity is an open question one week into the Trump administration, though a few pieces of the policy are coming into focus.
Of special interest to the business community, efforts will continue to ensure that the framework of cybersecurity standards, developed by the National Institute of Standards and Technology, remains at the heart of government-industry engagement on cyber.
NIST issued revisions to the 2014 framework just before the Obama administration left office this month, and this process won’t be affected by President Trump’s executive order freezing regulatory actions.
The framework pulls together industry best practices and offers a coherent guide to developing a cyber risk-management system at organizations of all types and sizes. It was the Obama administration’s answer to the demise of more regulatory approaches to cyber on Capitol Hill, and it seems logical that the Trump administration will embrace its continued use.
Over at the Federal Communications Commission, a hotbed of cyber policy development, Ajit Pai was named last week to succeed Thomas Wheeler as chairman. That produced a cheer from many in the telecom sector who lamented what they viewed as Wheeler’s predisposition toward regulation.
Pai has called for a modest FCC role on cybersecurity, after the commission for the past few years drove an aggressive cyber agenda on issues ranging from personal privacy to the Internet of Things.
Less thrilling to the business sector, it appears that mandatory cyber rules for the financial sector developed by the Federal Reserve Board of Governors and other agencies will progress, despite the regulatory freeze. Industry says these rules will divert resources from real cybersecurity efforts.
Those moves, while important, don’t address underlying philosophies, strategies and leadership.
The questions loom large, starting with the scope and direction of a 90-day review of federal and critical infrastructure cybersecurity that Trump has promised. There has been no word yet on when that launches or who will lead the process.
“I haven’t heard anything,” Senate Armed Services Chairman John McCain, R-Ariz., told InsideCybersecurity.com last week.
Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., suggested the Department of Homeland Security would be “one” of the entities with a role in the review, but had no details yet.
The president’s executive order on a federal hiring freeze also has lawmakers scrambling to determine what it means for the government’s cybersecurity policy leaders and workforce, although the order does include exemptions for national security-related positions and some flexibility in implementation.
And questions are popping up in unexpected places.
For instance, the president’s executive order on immigration included a clause saying Privacy Act protections apply only to U.S. citizens and lawful permanent residents, casting some doubt on how standards will apply in various international contexts, perhaps including through the “Privacy Shield” painstakingly negotiated by the U.S. and European Union.
“It’s troubling just on its own merits,” said Gabe Rottman of the Center for Democracy & Technology. “The federal government collects an enormous amount of information on non-citizen/non-PR individuals in the United States. There’s no good policy reason to exclude them from its important protections.”
It also remains to be seen how the panel of private-sector cybersecurity leaders, to be convened by former New York City Mayor Rudolph Giuliani, will contribute to cyber policy development.
These are early days, to be sure, but it’s worth remembering that cybersecurity is still a relatively new issue for policymakers, and the structures and consensus built so far remain fragile.
A draft of a cyber executive order leaked late last week said the 90-day review would be run jointly by DHS and the Pentagon, along with senior White House officials.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
