Disruptive by Design: Cyberthreats Galvanize Ambitious Executive Order
President Donald Trump recently signed a succinct but sweeping cybersecurity executive order fortifying the U.S. government’s role in thwarting cyber attacks, establishing a path toward protecting federal networks and critical infrastructure, and bolstering cybersecurity for the nation as a whole.
“Our nation’s economic and national security rely on a safe, secure and reliable cyberspace,” said U.S. Department of Homeland Security Secretary John Kelly of the order, titled Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
The cyber executive order (EO) creates a baseline of security across federal departments, beginning with risk management and information technology modernization in the executive branch. It emphasizes information sharing as well as rapid procurement and requires agencies to follow the National Institute of Standards and Technology’s (NIST) cybersecurity framework. The EO contains three prioritized sections and forms a system of checks and balances in which agencies must submit for review at least 15 progress assessments within a year and at least one comprehensive report.
The first priority is for the executive branch to implement risk management measures related to unauthorized access, use, disclosure, disruption, modification or destruction of information technology and data. Agencies must create a series of reports and reviews related to such events. This strategy allows for greater oversight, risk mitigation, accountability and overall security and is a necessary step toward ensuring that the government is better prepared to handle cyber incidents.
Agency heads not only must soon produce initial cyber reports but also document risk mitigation and acceptance choices, including strategies that guide their decision making. Mick Mulvaney, director of the Office of Management and Budget, and Kelly will review the reports and apprise the president of the status of networks, recommendations to remedy inadequacies and issues introduced because of budgetary constraints. Additionally, the EO calls for a pivotal push in the procurement process for shared information technology services, such as email and cloud. This heavy emphasis on accelerating modernization has been a long time coming.
The EO’s second priority addresses federal support to shore up cyber vulnerabilities surrounding critical infrastructure. It draws from a similar EO issued in 2013 by former President Barack Obama but now mandates that key Cabinet-level bosses identify authorities and mechanisms through which agencies can better support cybersecurity efforts for the 16 critical infrastructure sectors. Agencies also must investigate and report on federal policies to promote market transparency of cyber risk management practices, a measure to improve cyberthreat resilience, especially risks that threaten the defense industrial base.
The final substantive section of the EO focuses on consumer cybersecurity, not only in fostering a secure Internet but also in supporting the growth of a cyber-trained work force to reverse the labor shortfall that poses a national security liability. The EO requires agency heads to “jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity work force of the future.” That’s no small order.
Overall, the new EO pulls from policies and procedures spearheaded by the Obama administration. It builds on existing initiatives and pushes forward many key points of the Cyber National Action Plan (CNAP), published last February. The order also draws on policies to protect critical infrastructure as well as standards for risk management set in the NIST framework. With an attempt to increase the accountability of public companies that own critical infrastructure by revealing their cyber practices, and to include other significant efforts introduced and backed by both sides of the political aisle, the EO largely is supported by the cybersecurity community.
Farisa Dastvar is counsel at Willis Towers Watson, primarily practicing in commercial contracts. The views expressed are her own.