In-brief: President Donald Trump made good on a long-held campaign promise Thursday, signing a tough-talking executive order to strengthen the cyber security of federal networks. But experts worry that the Order comes with too few specifics.
President Donald Trump made good on a long-held campaign promise Thursday, signing a tough-talking executive order to strengthen the cyber security of federal networks. But experts worry that the Order comes with too few specifics, with some calling it little more than a “plan for a plan.”
The White House announced the President’s signing of the Executive Order Thursday afternoon.The order covers both the cyber security of federal networks and the security of critical infrastructure.
A copy of the document released on the White House web site calls for agency heads to be “held accountable” for the security of their networks. It orders federal agencies to manage cyber risk according to guidelines in The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology (NIST).
That is a notable change in town from the cyber security orders of President Trump’s predecessor. Under President Obama’s Cyber Security Executive Order, signed in 2013, created a voluntary system for critical infrastructure owners to adopt government guidelines for information sharing and security critical systems based on the NIST standards.
The thrust of his 2013 Executive Order was to increase information sharing about cyber attacks between private and public officials. The Order established a federal Cybersecurity Framework that standardized information security measures and controls and provided guidance to help owners and operators of critical infrastructure to identify, assess, and manage cyber risk. The Trump White House extended that Executive Order in March.
A proposed $19 billion Cybersecurity National Action Plan (CNAP), introduced in 2016, would have overhauled the way the federal government manages the security of its information systems and invested in programs to increase awareness of cyber security in the business community and the public sphere while increasing funding for cyber security by 35%.
The Trump Executive Order picks up on many of those threads, instructing the Secretary of Homeland security and the Director of the Office of Management and Budget (OMB) to assess the risk management practices of each federal agency and determine whether their risk mitigation and risk acceptance decisions are appropriate.
The Order calls out specific threats, as well. A report to the President on options for making the Internet more resilient to threats from botnets and “other automated, distributed threats” is due to the President in one year’s time. So too an assessment on the potential for disruption of the electrical grid and the readiness of the U.S. to manage the consequences of such a disruption.
The Executive Order also takes a swing at modernizing the federal government’s notoriously aged IT infrastructure, encouraging federal agencies to give preference to what is described as “shared IT services including email, cloud, and cybersecurity services.” The Order asks the American Technology Council to prepare a report to President Trump on modernizing Federal IT services.
In its broad outlines, the Executive Order echoes many of the talking points candidate Trump used on the campaign trail. Among those are the emphasis on personal accountability for agency heads and a top-down review of government cyber security policies. Retired US General Michael Flynn, in an October interview with The Security Ledger, highlighted both the need for a head to toe review and accountability as top priorities for a Trump administration on cyber security. Flynn resigned as President Trump’s National Security Advisor after serving for just three weeks after details of his contacts with Russian officials came to light.
However, cyber security experts said there was too little of substance in the Executive Order to distinguish it from what came before.
“This executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats,” wrote the Information Technology Innovation Foundation (ITIF), a Washington D.C. non-partisan think tank that focuses on promoting public policies that spur technology innovation.
Given the work done by the Obama Administration, the Trump Administration should have given the new Administration a head start in its own recommendations. However, “while the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions,” ITIF wrote.
Others noted that, given the political gridlock and infighting in Washington D.C., the Executive Order will remain more aspiration than perspiration.
“If there is no budget from Congress for the order, it will have little real effect,” said Philip Lieberman, president of Los Angeles-based Lieberman Software in a statement. “All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics.”