Finally, after three months in office and four drafts, the president’s executive order, titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” was issued Thursday.

The result is that we are still at enormous risk, both in the private and public sectors, of catastrophic cyberattacks inflicting long-term damage on our economic, intelligence, national defense, and critical infrastructure, and in another year, we will have a bunch of reports telling us how bad it is and how much it will cost to fix it.

Why did I think we already had a Department of Homeland Security and Counterterrorism?

Close

The order is eight pages of calls for study, assessments, and 16 assessment reports all due within 45 to 365 days from as many as 18 participating agencies and departments, plus many loosely identified as “other interested agency heads and appropriate stakeholders.”

And with the exception of an order to implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework, there was no other call to action.

The report also relies on substantial cross-government cooperation that seems surely destined for bureaucratic delay.

[lz_graphiq id=2cJ4tu7YAqV]

“The Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence, shall jointly submit a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on the Nation’s strategic options,” the order reads.

If the course for New World discovery was determined by a group like this, Columbus would still be parked at the dock. To paraphrase the order, it calls for an implementation of NIST Cybersecurity Framework across all agencies, a review of each agency’s cybersecurity risks, a plan to protect the executive branch and all its subsidiaries, and a new IT architecture based on a shared services model. Which is all good, except that it should have been done years ago and doesn’t do nearly enough.

In addition, it wants five agencies to report on how difficult it will be to get there and how much it will cost, another half-dozen to report on ways in which we can better protect ourselves, plus a section on “international cooperation” that really translates to finding out how good our enemies are on cybersecurity. If we wait another year, we won’t need a report to find out.

[lz_ndn video=32395925]

Who do you think would win the Presidency?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

It wants the Labor and Education departments, along with six other agencies, to investigate the scope and effort required to grow a national cybersecurity workforce, and to examine our adversaries, described as “foreign cyber peers,” in order to help identify foreign workforce development practices that we could mimic.

Why can’t we start training people right now? What’s there to study? There are a million and a half unfilled cybersecurity jobs today. The North Koreans have 10,000 highly trained and skilled cyberhackers happily dancing around in cyberspace while we spend the next four months writing a report on how we can “support the growth and sustainment of the nation’s cybersecurity workforce?”

The order addresses our national defense and our “warfighting capabilities and industrial base” by calling for an evaluation of “cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities.” Why did I think we already had a Department of Homeland Security and Counterterrorism? What do they do?

In addition to the lack of a call for actual action, the more depressing takeaways are:

1.) There is no call for private sector expertise; it only asks the government to participate, which all but guarantees its failure.

2.) It fails to call for IT modernization, so it defaults to securing ancient IT systems, a really bad idea that starts with throwing good money after bad.

3) It asks for government agencies to move all of their IT to a shared-services model, which, due to their siloed natures, is inconceivable.

[lz_related_box id=792523]

4.) It provides a 90-day deadline for all agencies to apply a standardized model, which has never been done before and, given the diverse views on cybersecurity, will be an equally impossible chore.

5.) And finally, there is no change in either policy or approach from the Obama or Bush administrations’ prior initiatives toward cybersecurity, which given our current state of readiness seems reckless.

I would love to say that this is a great start, but I am slowly becoming part of that crowd who are deeply disappointed in the president’s growing inclination to allow politics as usual to haphazardly trudge forward.

Maybe that swamp just won’t drain.

Steve King is the COO and CTO of Netswitch Technology Management.