Months later than originally planned, President Donald Trump on Thursday issued a long awaited directive on cyber security that among other things directs agency heads to be accountable for the security of their networks, the adoption of shared information technology services and consolidated networks across the federal enterprise, actions by stakeholders to strengthen networks against automated threats, and options for deterring adversaries from conducting cyber attacks.
The executive order contains three main sections dealing with cyber security, one dealing with the security of federal networks, another for the security of the nation’s critical infrastructure, and the last one a broader take on securing the nation, including an assessment of the state of international cooperation.
In January Trump was about to sign off on a cyber security executive order but pulled it back at the last minute. Before and after, the administration circulated drafts of the document to various stakeholder to obtain their feedback before settling on a final version.
Michael Daniel, the cyber security coordinator in the White House under former President Barack Obama and current president of the Cyber Threat Alliance, said in a statement that Trump’s order “continues the general approach to cybersecurity that started in the Bush Administration and ran through the Obama Administration.
As with earlier drafts, the executive order holds department and agency heads accountable for managing the cyber security risks of their respective organizations and requires departments and agencies to adopt the risk-based Cybersecurity Framework ushered led by the National Institute of Standards and Technology under Obama. The framework is voluntary for the private sector.
The directive also calls on the White House Office of Management and Budget to create a plan “to address immediate unmet budgetary needs to manage risk to the executive branch enterprise.”
Trump also wants agency heads to prioritize the acquisition of shared IT services such as email, cloud and cyber security, and directed his new White House-led American Technology Council to report on the “technical feasibility and cost effectiveness” of transitioning agencies to “one or more consolidated network architectures,” and shared IT services.
Rep. Jim Langevin (D-R.I.), a member of the House Armed Services and Homeland Security Committees, said in a statement that the order continues the Obama administration’s path “toward further centralization of cybersecurity,” adding that, “Relying on agencies to adequately protect their assets in this domain has proven unsustainable, as evidenced by the 2015 breach of the Office of Personnel Management, and strengthening the review process by the Department of Homeland Security and the Office of Management and Budget should help agencies better understand the risks they face and the resources available to them.”
In the area of critical infrastructure protection, a key element of the order includes the DHS to report on how well existing federal policies are in promoting market transparency by critical infrastructures with respect to their cyber security risk and management practices. Another feature requires DHS and the Commerce Department to “jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience if the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
Under the section entitled “Cybersecurity for the Nation,” Trump wants a report from key departments on the options for “deterring adversaries and better protecting the American people from cyber threats.”
On this point, Daniel said “It will be interesting to see whether the deterrence report and the international strategy will say anything new, but in general, I don’t see anything unusual or that really goes in a different policy direction.”
In the area of workforce development, Commerce and DHS are tasked with assessing the “sufficiency of efforts to educate and train” future cyber workers. The order also directs the Director of National Intelligence to assess how well foreign countries are developing their cyber workforce and how this is “likely to affect long-term United States cybersecurity competitiveness.”
Sen. John McCain (R-Ariz.), chairman of the Senate Armed Services Committee and a frequent critic of Trump’s policies, said in a statement about the executive order that “We do not need more assessment, reports, and reviews. We need policy, strategy, and the resources to carry them out.”
The directive also calls on DHS, the FBI and the Department of Defense to report on the cyber security risks facing the defense industrial base, including the supply chain, weapons, and networks.