President Trump Signs Cybersecurity Executive Order
On May 11th President Donald Trump signed a long anticipated Executive Order on âStrengthening the Cybersecurity of Federal Networks and Critical Infrastructureâ. Under the order, the President is holding the heads of federal agencies accountable for managing cybersecurity risks. Each agency must now use the National Institute of Standards and Technology (NIST) framework on cybersecurity. The order also requires agencies to now show a preference for shared IT services when they are procuring services. Cybersecurity for systems related to national defense will be the responsibility of the Secretary of Defense and the Director of National Intelligence, while the cybersecurity of other critical infrastructure will be the responsibility of the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB).
âWeâve seen increasing attacks from allies, adversaries, primarily nation-states, but also non-nation-state actors, and sitting by and doing nothing is no longer an option,â the President’s Homeland Security adviser, Thomas Bossert, said during a briefing at the White House. At the briefing, Bossert denied the order had anything to do with claims of the Russian government hacking the elections. The order does not address the cybersecurity of America’s electoral system, as voting machines are generally an issue left to local elections boards and state governments. Earlier this year the Department of Homeland Security (DHS) declared the electoral system a critical infrastructure.
In December of last year, the White Houseâs Commission on Enhancing National Cybersecurity issued a report to President Obama which made recommendations on enhancing cybersecurity for both the outgoing and incoming presidential administrations. President Trump’s new Executive Order does implement some of the recommendations that the Commission on Enhancing National Cybersecurity made in their report last year. One of the commission’s recommendations that President Trump chose to implement was the requirement that the federal government follow NIST’s 2014 cybersecurity framework.
âIt is something we have asked the private sector to implement, and not forced upon ourselvesâ¦From this point forward, departments and agencies shall practice what we preach,â Bossert commented on the NIST cybersecurity framework implementation requirement of the order, at the briefing. Another recommendation from the commission’s report that President Trump implemented was the recommendation to create a single consolidated federal network. At the briefing, Bossert said the President’s order was meant to centralize the federal government’s cybersecurity risk. According to Bossert, the President’s plan is to view the federal government’s IT as a single enterprise network. Bossert said the government needed to move to the cloud and not fracture their security posture.
President Trump also implemented the commission’s recommendation to move federal agencies to an enterprise risk management approach to cybersecurity. The order requires many reports to be made on each agencies cybersecurity risks. The President also called for international cooperation in his order, which was also a policy recommended by the commission. Some of the recommendations that the commission made that were not implemented dealt with creating public-private partnerships and initiatives with the tech community. However, the order did encourage the growth of the cybersecurity workforce in both the public and private sectors. Cybersecurity risks facing the military-industrial complex and its supply chain will also be assessed in reports required under the order, which may be at least partially classified.
Under the order, the Secretary of Commerce and the Secretary of Homeland Security will make a report on defending against botnets and distributed threats. Those secretaries will work with the Secretary of Defense, the Attorney General, the Director of the FBI, the Chairs of the FCC and FTC, and other agencies when making their report. The Secretary of Energy and the Secretary of Homeland Security will work with the Director of National Intelligence and local and state governments to make an assessment on the responses to electricity disruptions. The report will also assess the preparedness and any shortcomings the United States has in responding to prolonged power outages caused by a cyber attack.
The President also stated in the order that his administration’s policy shall be to âpromote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.â The signing of the order was timed to coincide with the administration’s effort to modernize the government’s IT services. Earlier this month President Trump signed an order which dealt with his IT modernization initiative.