US President Donald Trump has signed a long-awaited executive order on cyber security, 111 days after assuming office.
Trump originally promised to sign the order in his first 90 days, but the text was delayed after a mixed reaction to his travel ban impacted the pace of his orders.
State of the security state
The order, called Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, can be read in full here.
As part of the order, the “President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”
It requires that all federal agencies adopt the Framework for Improving Critical Infrastructure Cybersecurity (available here), developed by the National Institute of Standards and Technology (NIST).
Over the next 90 days the agencies have to present a plan to implement the framework, report on operational and budgetary considerations, and provide historical records of all “risk mitigation and acceptance choices made by each agency head.”
Also in the next 90 days, “the Director of the American Technology Council shall coordinate a report to the President from the Secretary of Homeland Security, the Director of OMB, and the Administrator of General Services, in consultation with the Secretary of Commerce, as appropriate, regarding modernization of Federal IT.”
Specifics regarding modernization of infrastructure were absent, and there was no mention of ongoing US federal data center consolidation efforts, which could both improve security and save money.
American tech trade body and lobbying group The Information Technology Industry Council (ITI), which counts Amazon, Google, Facebook, VMware and more amongst its members, welcomed the order.
“President Trump’s executive order is a promising start for the administration’s cyber efforts,” ITI President and CEO Dean Garfield said.
“We are pleased to see the Trump Administration embrace actions we have consistently advocated for, including orienting federal government cybersecurity risk management around the Cybersecurity Framework and utilizing public-private partnerships to advance cybersecurity. We also look forward to working with lawmakers to see bipartisan legislation passed to bring needed upgrades to outdated federal IT systems that leave our government vulnerable to attacks.”
But former director of national intelligence James Clapper was less enthusiastic, suggesting that there wasn’t enough money spent to pull off a massive modernization initiative.
He said at a senate hearing: “The Trump administration understands preparing a new executive order and strengthening the cybersecurity of federal networks and critical infrastructure, emphasizes accountability, managing government IT architectures. What I expect is, though, that the accompanying authorities and resources will not match these bold goals.”
Amit Yoran, CEO of Tenable Network Security, said: “America currently spends over $80 billion per year on federal IT, but money alone won’t improve cybersecurity. Change can only happen if security is prioritized at the highest levels of government. This new executive order has the potential to force federal agencies to rethink their security strategies and to address today’s elastic attack surface.”
The order also aims to tackle the cyber security skills shortage faced by the US, odering government agencies and agency heads to “jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education.”