President Donald Trump signed an executive order on cybersecurity, which mandates actions to protect the cybersecurity of Federal networks and critical infrastructure.
The first section of the May 11 order stresses the importance of protecting data held within Federal networks, and says that agency heads will be held accountable by the president for implementing risk management measures. The order also mandates that agencies use the previously voluntary NIST cybersecurity framework, as MeriTalk reported to be likely last week.
“From this point forward, departments and agencies will practice what we preach,” said Tom Bossert, Homeland Security adviser to the president.
The order also requires agencies to provide a report on their risk management efforts, documenting agency security choices and action plans.
“Each Agency Head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order,” the order says.
A previous MeriTalk report noted that the executive order requires executives to draft many other reports on their progress.
As part of the imperative to protect Federal networks, the order places particular importance on modernizing Federal IT systems, and places preference on the use of shared services.
“If we don’t move to secured and shared services, we’re going to be behind the 8-ball for a very long time,” Bossert said.
This emphasis on IT modernization bodes well for Rep. Will Hurd’s Modernizing Government Technology (MGT) Act, which was introduced in the House in late April, and received a companion bill in the Senate.
To protect the security of critical infrastructure the order mandates that the secretary of Homeland Security, secretary of Defense, the attorney general, the director of National Intelligence, the director of the Federal Bureau of Investigation, and the heads of appropriate sector-specific agencies “identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities” and provide a report to the president within 180 days of the order.
The order calls for the secretaries of State, Treasury, Defense, Commerce, Homeland Security, Education, and Labor and the attorney general, FBI director, and OPM conduct various assessments and reports on the nation’s defensive, international, and workforce development capabilities.
Bossert said the Federal government could benefit from a holistic view of what cybersecurity issues need to be addressed. He cited Israel, whose government adopted a centralized view of cyber-related initiatives, as an example.
Officers within the administration will meet with other governments to ensure best practices for the U.S. and its allies. Bossert said an open Internet and collaboration is key “to finding what is and is not acceptable.”
“We need to look at Federal government as an enterprise,” Bossert said. “Each department has the responsibility to protect their own networks. Now they have the responsibility to report risk to the White House.”
In addition to meeting with other countries, Bossert said White House representatives will also consult with tech experts in private industry.
“There’s a lot to be learned from private industry,” Bossert said. “That stuff needs to come to the WH in an appropriate way.”
Addressing cybersecurity needs means returning to the basics, Bossert said. While he acknowledged that progress was made on this front during the Obama administration, he said it was not nearly enough.
“We have not done basic blocking and tackling,” Bossert said.
Although he emphasized the importance of cybersecurity, Bossert did not describe what exactly constitutes a cyberattack. He said not spelling out the definition of a cyberattack makes it more difficult for adversaries to pinpoint a weak area.
“We’re not going to draw a red line on cyber war today,” Bossert said. “We don’t want to telegraph our punches.”
The president made previous attempts at a cyber executive order in January, but cyber experts were critical of the leaked documents, and the order was delayed.
Eleanor Lamb contributed to this report.