An executive order aimed at securing services such as the Global Positioning System continues the administration’s trend of relying on procurement as the main lever in its toolbox for making cybersecurity policy.
GPS, typically associated with popular mapping tools, is an example of Position Navigation and Timing, or PNT, services used in a broad range of applications including precision banking and microsurgery. It is based on the extraordinary coordination of a constellation of clocks and satellites and is vulnerable to hackers perpetrating “jamming” and “spoofing” attacks that interfere with the receipt of relevant signals.
In November 2018, then-Secretary of Homeland Security Kirstjen Nielsen identified PNT as the primary “systemic risk” to the cybersecurity of critical infrastructure.
The executive order announced today would put the Homeland Security Secretary in charge of overseeing the development of language to include “requirements for federal contracts for products, systems, and services that integrate or utilize PNT services, with the goal of encouraging the private sector to use additional PNT services and develop new robust and secure PNT services.”
Homeland Security has been issuing best practices for adoption by industry to protect itself from cyberattacks targeting GPS over the past several years.
But coordination and education of industry have “often been a challenge for government agencies,” said Dana Goward, president of the Resilient Navigation and Timing Foundation, “especially when the goal is to get industry to spend their own time and money without a mandating regulation or law.”
Particularly at Homeland Security’s Cybersecurity and Infrastructure Security Agency, the focus has been on working collaboratively with the private sector rather than on establishing a foundation for punitive enforcement.
Goward, a member of the National Space-Based Positioning, Navigation, and Timing Advisory Board told Nextgov leveraging the federal government’s market power is something the foundation has been advocating.
But he stressed that “we would like to see something more concrete, such as the government specifying performance requirements for the receivers it purchases.”
The executive order calls for procurement requirements in accordance with “PNT profiles” to be developed by the Secretary of Commerce, coordinating with leaders of sector-specific agencies and private-sector users, within a year.
“The PNT profiles will enable the public and private sectors to identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets dependent on PNT services,” according to the order.
Once they’re made available, the order gives the heads of the sector-specific agencies 90 days to work with the Homeland Security Secretary to develop that contracting language that includes the profiles.
The order calls for the PNT profiles to be reviewed every two years and updated “as necessary.” An administration official said the National Institute of Standards and Technology would take the lead in developing a template for the profiles based on “a generic tailoring” of the agency’s landmark 2014 cybersecurity framework.
Goward was not optimistic about the impact the executive order would have and characterized it as a potential punt to a future administration.
“Much of the potential action items must wait up to a year for information to be gathered,” he said. “Then many of the hoped-for accomplishments will rely on agencies convincing industry to spend money without any legal or regulatory requirement to do so.”
He added that departments would have “to develop fairly complex purchasing criteria and contracting standards that may or may not be practical.”
Goward further noted that the executive order appears to conflict with existing law by requiring the Commerce Department to “make available a [Global Navigation Satellite System]-independent source of Coordinated Universal Time, to support the needs of critical infrastructure owners and operators, for the public and private sectors to access.”
He said the Commerce Department does already have a “GNSS-independent source” with a master clock in Boulder, Colorado, but that “the real challenge is distributing that time at the right level or accuracy to critical infrastructure,” which is something the National Timing Resilience and Security Act of 2018requires of the Transportation Department.
On this point, Goward said the order “will likely cause confusion and uncertainty as to which agency is to do what.”