After campaign promises on cyber, months of tough talk about Internet security plans, plenty of anticipation and a missed 90-day deadline to deliver a cybersecurity report, President Donald Trump signed an Executive Order (EO) on cybersecurity this week.
The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure offers three sections, which Tom Bossert, Trump's homeland security adviser, said were in priority order:
Section 1. Cybersecurity of Federal Networks
Section 2. Cybersecurity of Critical Infrastructure
Section 3. Cybersecurity for the Nation
News media and overall cyberindustry reaction to the EO have been mostly positive. Here are some headlines:
Reuters: Trump signs order aimed at upgrading government cyber defenses — U.S. President Donald Trump signed an executive order on Thursday to bolster the government's cybersecurity and protect critical infrastructure from cyberattacks, marking his first significant action to address what he has called a top priority.
Wired: Trump’s Cybersecurity Executive Order Looks … Pretty Good! — There’s not much in there that’s actionable yet — much of it comprises deadlines for recommendations — but analysts appreciate the approach.
TheHill.com: Cybersecurity community lauds executive order — President Trump’s cybersecurity executive order has earned positive reviews from the cybersecurity community, who see it as a valuable starting point toward strengthening cyberdefenses.
The Washington Post: Trump signs order on cybersecurity that holds agency heads accountable for network attacks — The order “is a step forward,” said Ari Schwartz, a former White House and Commerce Department cyberpolicy official who worked on the Commerce guidelines. “It shows that there’s consensus on moving ahead on these issues.”
C|NET: Trump's cybersecurity order: Out with 'antiquated systems' — The executive order aims to improve U.S. systems by protecting federal networks, critical infrastructure and Americans online.
SC Magazine: Mixed response from IT security pros following release of Cybersecurity Executive Order — While some praise the directive for its guidance, others say its guidance falls short.
You can watch the Thursday press briefing on the new EO here.
Cyber Executive Order Details
The EO starts with the clear policy that: “The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”
Next, the findings, which outline inadequate cyberdefenses in federal agencies, also make it clear that the status quo will not be tolerated. An example: “The executive branch has for too long accepted antiquated and difficult–to-defend IT.” Also, “Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.”
More specifically, “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order.”
While a few experts in the field, including former White House cybersecurity coordinator Michael Daniel, called this EO just “A plan for a plan,” these directives will be difficult risk management reports for agencies to complete in three months.
The section on critical infrastructure builds on what was done during the Obama administration. The EO starts with this policy: “It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure (as defined in section 5195c(e) of title 42, United States Code) (critical infrastructure entities), as appropriate.”
The president goes on to outline how that protection effort will be done and who will be involved.
Another report is due in 90 days regarding “appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities.”
Within 240 days, a report is due on our “resilience against botnets and other automated, distributed threats.”
The electric grid is specifically called out with an “assessment of electricity disruption incident response capabilities.” (That is, are we ready for an attack against the electric grid?) This report is due in 90 days as well.
Finally, another report due in 90-days will address cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks and capabilities, and recommendations for mitigating these risks.
In the area of “cybersecurity of the nation,” the policy reiterates our priorities that “open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” There is also the goal of fostering a next-generation workforce that is skilled in cybersecurity.
In many ways, this EO lays out the critical agenda for high-priority action items in cyberspace for the next four years. It offers a mix of different themes and topics that is diverse, from critical infrastructure to a cyberworkforce.
I view this as just the beginning for the Trump administration plans for cyberspace. While some may say that the words and deeds prior to this were actually the opening act, most of those statements were not backed up with an executive order with guidance to various groups to get moving.
These reports and other deliverables will be essential building blocks with much more to come. This is a foundational EO on cyber that continues the momentum that was built in the Obama administration, but also adds much more federal agency director accountability. This is a good thing, since every cyberexpert knows that true management buy-in and support is a critical success factor.
I am hearing that that there is also more going on behind the scenes right now that this EO reveals. For example, Rudy Giuliani is helping draw up cyber doctrine, DNI says, but details are scarce. I also think the international cooperation piece of this cybersecurity EO is essential. The EO directs:
“Within 45 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of the submission of the reports, and in coordination with the agency heads listed in this subsection, and any other agency heads as appropriate, the Secretary of State shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, documenting an engagement strategy for international cooperation in cybersecurity.”
The importance of this cyberdefense topic was underlined on Friday, when a new global ransomware attack called WannaCry was unleashed that affected over 100 countries and shut down many hospitals and businesses worldwide. This ongoing situation is one of the largest cyberattacks ever.
It was almost as if the response to the president’s cybersecurity EO from global hackers was, "Our life goes on and we don’t really care what you do." This is our sad, but scary, online reality.
We all need to be reminded that our individual and corporate (cybersecurity industry) actions have a great ability to influence lives all over the planet — both online and offline. A renewed urgency is required in cyberspace, as our online problems are not going away.
The second chapter in Trump’s cybersecurity plan will begin when those reports and actions steps are due later this year. Meanwhile, our cyberbattles march on.