Cybersecurity Executive Order (EO) Kicks Off Vital 240 Day Period For Tech Industry

On May 12th, 2017, President Trump signed an Executive Order on cybersecurity. The main focus of the EO is on how the Federal government handles cybersecurity. Federal agencies are asked to start drafting plans on how to improve their cybersecurity readiness, and will soon be issuing reports to the administration.These reports require the voice of a group like i2Coalition. In fact, it is for situations like this that i2Coalition exists – to ensure that as the Federal government takes a close eye on how the Internet is to be protected at a Federal level, that they understand the full ramifications of how Internet businesses will be affected by decisions that are made as a result of the reports now being written. After some very high-profile cyber attacks over the past year, agencies will be looking to propose efforts that step up how cybersecurity is dealt with. Our job is to make sure that these reports are generated with suggestions that have been put through the filter of how they will affect Internet infrastructure business.

These reports require the voice of a group like i2Coalition. In fact, it is for situations like this that i2Coalition exists – to ensure that as the Federal government takes a close eye on how the Internet is to be protected at a Federal level, that they understand the full ramifications of how Internet businesses will be affected by decisions that are made as a result of the reports now being written. After some very high-profile cyber attacks over the past year, agencies will be looking to propose efforts that step up how cybersecurity is dealt with. Our job is to make sure that these reports are generated with suggestions that have been put through the filter of how they will affect Internet infrastructure business.

i2Coalition plans to actively engage with agencies on a number of reports, but we are particularly interested in the report on Resilience Against Botnets and Other Automated, Distributed Threats. This report, called for in Section 2 (d), may end up having the most far-reaching effects on the entire industry because it calls for exploration about how systems and devices outside of Federal systems affect Federal networks. Recommendations that make it into this report may end up leading to things that touch Federal systems being considered “critical infrastructure.”  If recommendations come out that expand the definition of “critical infrastructure,” we may end up seeing new requirements come out of this report that could change the landscape of who gets to be an Internet infrastructure company. Without the right balance, this report could completely change the cost structure of existing Internet infrastructure companies, and change barriers of entry into the industry in ways that negatively disrupt innovation.

Section 3 (c) calls for ideas on how we can more quickly and efficiently collaborate with other companies to identify and deal with cyber threats.  We will be discussing ways that this can be done without negatively disrupting how business is done on the Internet. We don’t want law enforcement cooperation to result in sharing data in ways that violation fundamental liberties / international (read European) norms. The administration references the NIST Cybersecurity Framework (CSF) throughout the EO. i2Coalition has been a proponent of the NIST

The administration references the National Insitute Of Standards And Technology (NIST) Cybersecurity Framework (CSF) throughout the EO. i2Coalition has been a proponent of the NIST CSF, and is a contributor to the process that created it. The NIST CSF is effective because it was developed in collaboration with industry, it is built on open standards, and is voluntary. It is a very good thing that this is the standard the White House has chosen to focus its attention on. The CSF includes a process of identifying a Framework Profile that fits the needs of a business or industry, and compliance standards within that Framework Profile are then applied in accordance with the narrow need of that company. Certainly, adherence to some Framework Profiles within the NIST CSF aren’t easy and can carry a heavy cost. Many compliance standards referenced by the CSF require complex, potentially expensive audit procedures. This needs to be acknowledged as officials assess which Framework Profiles fit the needs of government contractors. The future ability of small businesses to provide services to the Federal government is at stake. The NIST CSF is the right framework to be talking about, but i2Coalition looks forward to engaging with agencies to discuss how to apply these voluntary standards in ways that don’t end up shutting out all small businesses.

The critical Resilience Against Botnets study is due 240 days from May 12th, 2017. i2Coalition is busy opening up dialogues with the right agencies to ensure our voices are heard on this and other studies. We want to make sure that reports are written that respect both cybersecurity and innovation, and that reflect a keen understanding of both. We at i2Coalition know that the next 240 days are critical to the future of cybersecurity, and that these reports could mean a big change for Internet companies, including i2Coalition members. If you’re a member, join us in our monthly policy discussions and be a part of contributing to this process. If you aren’t, but you are an Internet business, now is the time to join and get involved. This cybersecurity EO is the beginning of a conversation we all MUST take part in.