Trump Executive Order Tackles Concerns About Cybersecurity
By Kelly Phillips
On the same day that Daniel R. Coats, Director of National Intelligence, testified in front of the Senate Intelligence Committee hearing committee about the danger of cyber threats to our national security, President Donald Trump signed an executive order intended to “strengthen the cybersecurity of federal networks and critical infrastructure.”
Cybersecurity has been a concern for many Americans of late – not just because of allegations of Russian hacking during the elections – but also because of the increased risk at home. Phishing and identity theft, for example, were #1 and #3 respectively on the Internal Revenue Service (IRS) list of the Dirty Dozen Tax Scams for 2017.
In response to increased concerns, Trump touted cybersecurity as an issue during his campaign. Shortly before taking office, in January, he promised, “I will appoint a team to give me a plan within 90 days of taking office… Two weeks from today I will take the oath of office and America’s safety and security will be my number one priority.”
On his 111th day in office, the President finally delivered. The order focuses on three areas:
- Cybersecurity of Federal Networks
- Cybersecurity of Critical Infrastructure
- Cybersecurity for the Nation
Cybersecurity of Federal Networks.
To address cybersecurity of federal networks, the order requires the heads of each federal agency to use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology (NIST) to manage cybersecurity risk. Each federal agency will also be required to provide a risk management report for evaluation within 90 days. The report will include, among other things, “unmet budgetary needs necessary to manage risk to the executive branch enterprise.”
The order also directs federal agencies to show a preference for shared IT services, where allowable and feasible, including email, cloud, and cybersecurity services.
Security of federal agencies has been a concern following hacks which included the theft of more than 20 million records from the Office of Personnel Management (OPM) and attacks on individual taxpayer records at the Internal Revenue Service (IRS).
Cybersecurity of Critical Infrastructure.
When it comes to critical infrastructure (think power grids, water, and telephones), the order calls for a report on those infrastructures which are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The report, which is to be submitted with six months, must also identify how risks to those systems could be mitigated.
The order also requires that strategies be developed to reduce cyberthreats perpetrated by botnets. Botnets can basically “hijack” computers for the purpose of carrying out automated tasks such as stealing valuable information and launching distributed denial of service (DDoS) attacks.
An issue that has been raised multiple times – the specter of a prolonged power outage associated with a significant cyber incident – is also addressed in the order, which calls for an assessment of not only the potential scope of such an outage but also the readiness of the country to manage such an event. The order requires similar assessments be made with respect to a cyber attack on the military, including the supply chain, as well as systems, networks, and capabilities, as well as recommendations for mitigating those risks.
Cybersecurity for the Nation.
Finally, the order calls for developing a strategy for “deterring adversaries and better protecting the American people from cyber threats.” The strategy is expected to include education and training for the “American cybersecurity workforce of the future.” The order also seeks to establish policies that will serve as deterrents for foreign nations targeting Americans, a move some suggested might be a direct response to the allegations of Russian hacking. At a press briefing held earlier today, White House Homeland Security Adviser Tom Bossert downplayed that suggestion, noting “the Russians are not our only adversary on the internet.”
You can read the order here.
Responses have been mixed. Some security experts welcomed the order as a good start while others suggested it was merely “a plan to make a plan.”
“This is a good step in the right direction,” said Jeff Engle, VP, Government Sector, United Data Technologies in response to the order. “When it comes to assessing the cyber workforce I think the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”
The Information Technology and Innovation Foundation (ITIF), the top-ranked U.S. science- and tech-policy think tank, issued a statement which began, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.” The statement went on to say, “We’ll have to wait to see how well this administration can implement its stated goals for cybersecurity. Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government. Moreover, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.” ITIF concluded, however, that it is “a good sign though that the White House included much-needed government IT modernization and consolidation as part of the executive order.”
(Author’s note: The article has been updated to include a statement from Jeff Engle, VP, Government Sector, United Data Technologies.)
Click here to view full article.