A new cyber executive order signed by President Donald Trump on Thursday makes clear that the heads of government agencies will be held accountable for managing security risks across their organizations.
This includes ensuring that federal IT systems and data are protected from unauthorized access and other cyberthreats, that the agency can detect suspicious activity on government networks, as well as respond to and recover from an attack. In terms of the workforce, the president's order tasks several agencies — including the Office of Personnel Management and the Homeland Security Department — with creating recommendations for growing the cyber workforce in the public and private sectors
The executive order also requires that agency leaders use a framework of standards, guidelines and practices developed collaboratively by industry and government. In other words, cyber isn't just an IT problem, but one that should be addressed at the highest levels. The framework referenced in the executive order — known widely as the NIST Cybersecurity Framework — aims to protect critical U.S. assets, such as the electric grid, dams and aviation systems from cyberthreats. (Check out NIST's draft implementation guidance for agencies adopting the framework.)
The White House release of Trump’s cyber executive order came less than a day before news broke about a massive cyberattack that hit dozens of countries, including the U.S., China, Russian and Taiwan.
On the international front, the order gives the secretaries of State, Treasury, Defense, Commerce and Homeland Security until the end of June to coordinate with each other and the Attorney General and Director of the FBI to submit reports on their international cybersecurity priorities. That includes their investigations, any attribution tied to cyberattacks, as well as cyberthreat information sharing and response. In the order, Trump also calls for an assessment of whether the U.S. can manage a prolonged power outage caused by a significant cyberattack.
Most of what’s included in the executive order echoes recommendations and sentiments shared by the Obama administration. In fact, a number of career National Security Council personnel who worked on policy issues under President Barack Obama helped craft the executive order, according to The Washington Post.
For example, the former president charged a nonpartisan commission to develop actionable recommendations for strengthening cybersecurity in the public and private sectors. The December report included a host of recommendations, including requiring that all federal agencies to use the NIST Cybersecurity Framework.
According to the commission’s report, many agencies are not yet using the Cybersecurity Framework because “they are focused on the many requirements that they face, or because they do not understand how they can make productive use of the Framework within the larger context of managing their operations.”
The order’s release was delayed for several reasons by different people, including White House senior adviser Jared Kushner, who removed a section about IT modernization that will be placed in a separate executive order, The Post reported.
For those outside of government, there were mixed reviews on the contents of the executive order.
“We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats,” said Daniel Castro, vice president at the Information Technology and Innovation Foundation (ITIF), a U.S. science and tech policy think tank.
“It is a good sign, though, that the White House included much-needed government IT modernization and consolidation as part of the executive order,” Castro said.
The executive order requires agencies to “show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.”
White House director of strategic initiatives, Chris Liddell, will have until August to coordinate with various agency heads to develop a report detailing the legal, budgetary and technical feasibility of moving all agencies — or a subset of them — to a consolidated network architecture and shared email, cloud and cybersecurity services.
For more details, check out the entire executive order here.