President Trump today signed a long-delayed cybersecurity executive order that prioritizes the protection of federal networks and critical industries, and instructs agency heads to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity.
The order was to be signed in late January, before it was postponed. Early drafts called for a 60-day assessment of critical federal systems and raised concerns that service providers could be compelled to shut down suspicious traffic.
The order today instead puts an emphasis on risk management, updating antiquated systems such as those at the core of the disastrous OPM hack in 2015, and treating federal networks as one enterprise network, said Tom Bossert, Trump’s Homeland Security adviser, during a White House press briefing.
The order also keeps cybersecurity in the mainstream as officials continue to deliberate how to handle Russian interference in the U.S. presidential election, relentless data leaks from WikiLeaks and the Shadowbrokers, and the threat to the U.S. economy and privacy posed by cybercriminals.
Bossert said the executive order is the first step toward not only enhancing the security of critical industries such as finance, health care and utilities, but also in creating a deterrence policy, calling it long overdue.
“Russia is not our only adversary there. Other nations are motivated to use cyber to attack our people and our data,” Bossert said. “We need to establish rules of the road of proper behavior on the Internet and deter those who don’t abide.”
Bossert said that he expects more interaction between the feds and private sector tech leaders, and singled out the reduction of botnets and their potential to initiate DDoS attacks as a premise for enhanced cooperation from service providers and manufacturers with the government.
“What the president calls for is for the government to provide a basis for coordination,” Bossert said. “We know they have the technical capacity to reduce botnets dramatically.”
Rep. James Langevin (D-RI) said the executive order’s mandate to review existing policy and modernize IT by going to a shared services model and giving preference to cloud services in future procurement will help secure critical federal networks.
“Relying on agencies to adequately protect their assets in this new domain has proven unsustainable, as evidenced by the 2015 breach of the Office of Personnel Management,” Langevin said, “and strengthening the review process by the Department of Homeland Security and the Office of Management and Budget should help agencies better understand the risks they face and the resources available to them.”
The order puts an emphasis on risk management through the use of the NIST Framework. Agency heads will have 90 days to report to DHS and OMB on their respective risk mitigation strategies, budgetary considerations, accepted risks (unmitigated vulnerabilities) and an action plan to implement the Framework.
“We have practiced one thing and preached another,” Bossert said, adding that the government has asked the private sector to implement the Framework, but not enforced upon itself. “From this point forward, departments and agencies will practices what we preach and implement that same NIST Framework for risk management and risk reduction.”
The executive order is written in three sections, with the first focusing on the NIST Framework, and the second and third on securing critical infrastructure and national security respectively.
With respect to critical infrastructure, the order directs DHS, FBI, the Director of National Intelligence and the Attorney General to identify infrastructure at greatest risk and report to the president within six months findings and recommendations. Officials are also to prepare reports on resilience to botnets, attacks against the electric utilities and readiness to respond.
The national security section of the order focuses on deterrence and protection and mandates within 90 days a report providing strategic options in that direction. The president also wants recommendations on enhancing international cooperation and workforce development.
“It will be interesting to see whether the deterrence report and the international strategy will say anything new—but in general, I don’t see anything unusual or that really goes in a different policy direction,” said Michael Daniel, former White House cybersecurity coordinator and president of the Cyber Threat Alliance, in a statement. “Of course, this order is more of a plan for a plan, because an EO can only direct federal agencies to do things they can already do within the law, but the reports it calls for are good ones to have, for the most part.”