Trump Finally Signs Cybersecurity Executive OrderSecretaries, Directors to Be Held Responsible for Their Agencies' IT Security
(This story has been updated.)
President Donald Trump has signed a long-awaited executive order that places responsibility for cybersecurity on departmental secretaries and agency directors and emphasizes the use of risk management throughout the federal government to secure digital assets.
The executive order also requires each federal agency to use the cybersecurity framework developed by the National Institute of Standards and Technology (see NIST Issues Draft of Revisions to Cybersecurity Framework).
"It is something that we have asked the private sector to implement, and not forced upon ourselves," Assistant to the President Tom Bossert said at the daily White House press briefing on Thursday. "From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction."
A Critical First Step?
Making agency heads responsible for IT security is "a critical first step as it places the onus on each agency head to make sure cyber is part of their mission," says Viewpost Chief Security Officer Christopher Pierson, a member of the Department of Homeland Security's data privacy and integrity advisory committee. "The one throat to choke for accountability for federal cybersecurity is now clear."
But Robert Bigman, an IT security consultant who was a long-time CISO at the CIA, contends the executive order lacks specificity that's needed to secure government IT. "This EO does very little to move the ball forward," he says. "Government agencies need specific/detailed direction ... on minimum cybersecurity responsibilities."
And Nok Nok Labs CEO Phil Dunkelberger says he doesn't see much new in the executive order. "It is a continuation of what we've already been doing and in many cases failing," says Dunkelberger, former CEO of PGP. "The industry/government needs a revolution. ... We have made strides, the question is, are we moving fast enough? Unfortunately, the threat factors around us are evolving at a much faster pace. We need to be much more assertive and aggressive as our adversaries aren't playing by any rules."
The executive order, prepared after the release of several earlier drafts, also calls for the modernizing of federal information technology. New technologies are seen as more secure than older ones. The modernization program will be led by the American Technology Council headed by Jared Kushner, Trump's son-in-law and assistant to the president.
Tom Bossert, at the press briefing, cited the 2015 breach of antiquated computers at the Office of Personnel Management, which exposed the personal information of 21.5 million federal employees and contractors, as an example of the government wasting money on outdated technology (see Audit: OPM Offered Duplicate ID Protection Services). "The president has issued a preference from today forward in federal procurement of federal IT for shared services - got to move to the cloud and try to protect ourselves instead of fracturing our security posture," Bossert said.
Among other provisions, the executive order calls for:
- Identifying federal capabilities that could be used to help companies that operate portions of the nation's critical infrastructure to defend their information systems and data;
- Promoting processes to improve resilience of the internet and communications ecosystem to dramatically reduce threats perpetrated by botnets;
- Assessing electricity disruption incident response capabilities; and
- Identifying risks facing the defense industrial base.
Safeguarding the Weakest Link
"The focus on the defense supply chain is an important recognition that cyber attackers target the weakest links," says Jacob Olcott, BitSight Technologies' vice president and former cybersecurity staff leader on the Senate Commerce Committee. "Managing third-party risk has been a major focus for the private sector, and it's smart that the EO prioritizes this initiative for the DoD."
The executive order calls on the secretaries of commerce and homeland security, working with other agencies, to assess the scope of efforts to train the American cybersecurity workforce, including cybersecurity-related education curricula, training and apprenticeship programs, from primary through higher education.
It also directs the director of national intelligence to review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness.
"One key to this [executive order] is a robust federal cyber R&D program through the academic community to educate and cultivate a pipeline of next-generation computer scientists and front-line defenders, as well as the tools and technologies to support them," says Signal Group Executive Vice President Greg Garcia, a former DHS assistant secretary for cybersecurity and communications.
Range of Deadlines
Most of the provisions are stated as directives requiring specific agencies to report to the president within certain deadlines that range from 45 to 240 days.
"The United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace," the executive order says.
The original draft of the executive order had called for the military to play a more active role in protecting federal government and critical infrastructure information technology, but was excised in later drafts and the final version because of the widespread belief among many stakeholders that civilian cybersecurity shouldn't be overseen by the defense department (see Revised Cybersecurity Executive Order Seen as More Moderate ).