The president signed the long-anticipated cybersecurity executive order Thursday afternoon, the main focus of which was assessing and improving federal network security and risk management, and supporting critical infrastructure.
Some of the action items are ambitious: agencies heads have 90 days to provide the secretaries of Homeland Security and the Director of the Office of Management and Budget (OMB) with risk management reports; they will then have 60 days to assess the reports and their cumulative implications for cybersecurity across the executive branch, develop a plan to secure federal networks and address any insufficiencies that may exist across the agencies’ plans, “address immediate unmet budgetary needs” to do so, and “establish a regular process for reassessing and, if appropriate, reissuing the [enterprise risk evaluations], and addressing future, recurring unmet budgetary needs.”
They’re also supposed to “clarify, reconcile, and reissue, as necessary… all policies, standards, and guidelines issued by any agency” and align them with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. And that only takes us to page 4.
However some industry experts don’t think it goes far enough. “What I find disheartening is that Cybersecurity is continuing to be treated as an area where we need to perpetually ‘catch-up’ and as a separate focus from the overall efforts to modernize and facilitate the evolution of government,” said Kevin Magee, a global security strategist at Gigamon. “It’s clear to me is that what we need is an inspiring cybersecurity moonshot. What we’re getting here is an enormous 90 day SWOT analysis.”
The order follows last week’s executive order on modernizing federal IT, which is where many of these security issues should have been, said Magee. “When you read the [modernization executive order], its focus is to coordinate the ‘vision, strategy, and direction for the Federal Government’s use of information technology and the delivery of services through information technology.’ This is where cybersecurity needs to be addressed, by design, not by retrofit, bolt-on solutions and patching after the new services have already gone online.”
“Let me be clear that the government is doing a lot of good things already and we heard directly from many agencies at our Public Sector Cybersecurity Summit last month,” he continued. “The government needs to continue to improve on integrating security into the earliest stages of solution design in order to take back the advantages currently enjoyed and exploited by attackers and tip the scales once more in favor of the defenders.”
- Mandatory Compliance: The order requires federal departments and agencies comply with the NIST Framework, which was voluntary under the Obama administration, compliance was voluntary.
- An Enterprise Approach: Agencies aren’t on their own anymore. In their efforts to “build and maintain a modern, secure, and more resilient executive branch IT architecture… Agency heads shall show preference in their procurement for shared IT services,” the order states, including email, cloud, and cybersecurity services.
- Transparency in the Marketplace: DHS and the Secretary of Commerce are on the hook for another report to determine whether current regulations provide sufficient transparency of critical infrastructure entities’ cybersecurity and risk management practices.
- The Cyber Workforce: The U.S. cyber workforce is behind, but Trump wants to get ahead: not only does the order request evaluations of and plans for the U.S. cyber workforce, it also requests a report from the Director of National Intelligence on the workforce training and development efforts of “potential foreign cyber peers” that will affect the U.S.’ long-term strategic edge.
- The World Wide Web: “As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet,” the order notes, and we can’t keep it that way alone. The order lays out an interagency effort to develop an international engagement plan within the next four and a half months.
- A Plan for Deterrence: We don’t have one, and we need one, the Defense Science Board said in February. The Trump administration agrees, and wants a plan of strategic options in 90 days.
Looking for some light reading? Read the full text of the order here.