Trump Signs Long-Awaited Cyber Executive Order
President Donald Trump on Thursday signed a much-anticipated cybersecurity executive order that lays out the government's path toward strengthening federal networks.
“The trend is going in the wrong direction in cyberspace and it’s time to stop that trend and reverse it on behalf of the American people,” Thomas Bossert, White House homeland security adviser, said Thursday afternoon while announcing details of the order. The government has noted an increase in the number of attacks from “allies, adversaries, primarily nation-states, but also non nation-state actors,” Bossert said during a televised White House briefing.
The government has struggled to effectively derail nation-states and cyber intruders that repeatedly highlight U.S. vulnerabilities, such as a string of notorious incidents including Russia’s reported interference in last year's U.S. presidential electoral process, the notable OPM breach attributed to China that exfiltrated the sensitive records of 22 million federal employees, and North Korea’s hack of Sony Pictures Entertainment emails.
The order contains three prioritized sections, with the government’s leading priority being to protect federal networks, Bossert said. It directs government agencies to implement the National Institute of Standards and Technology (NIST) cybersecurity framework. The guidelines in the past were something the government asked the private sector to implement, but had not enforced the guidance within the government itself, Bossert said. “From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.”
NIST’s framework began in February 2013, when then-President Barack Obama issued an executive order that ignited a public-private collaborative effort between industry, academia and the government to develop the voluntary framework. It became known as the NIST Cybersecurity Framework when released in February 2014.
Trump’s new order calls also for an upgrade to legacy systems and sets in motion processes that federal information technology procurement be for shared services, Bossert said. “We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture,” he said.
Perhaps the most difficult of the outlined tasks, the order directs government offices to come together to “centralize risks so we view our federal IT as one enterprise network,” Bossert said. “If we don’t do so, we will not be able to adequately understand what risk exists and how to mitigate it.”
The government spends more than $80 billion a year on federal IT. But money alone won’t improve cybersecurity, said Amit Yoran, CEO of vulnerability management company Tenable. "Change can only happen if security is prioritized at the highest levels of government," he said. "This new executive order has the potential to force federal agencies to rethink their security strategies and to address today’s elastic attack surface."
Yoran also noted that the single biggest challenge facing the government is the mammoth modernization effort. "As agencies embrace modern IT, including shared cloud services and Internet-enabled devices, it is important to understand the changes in the attack surface and embrace new opportunities to enhance security," Yoran stated. "The executive order’s prioritization of assessing and mitigating known vulnerabilities is a good step forward. Agencies need the tools to detect networked devices and systems, and the ability to identify and prioritize methods to best mitigate risk."
The new order builds on existing laws, such as the Federal Information Security Management Act (FISMA) and Obama’s critical infrastructure order, said Ken Spinner, vice president of global field engineering at cyber firm Varonis Systems. “We will see a certain amount of continuity with some tweaking to existing rules for both private sector and government agencies,” Spinner said. “But we also see a heavier focus on agency accountability and shared services between executive branch departments and agencies.”
Additionally, focusing internally first on federal systems is critical, suggested Steve Grobman, senior vice president and chief technology officer at McAfee. "Getting the government’s own cyber house in order is job one, and holding agency and department heads accountable is key,” he said. "This is no different than the paradigm we see in corporate organizations where, although the CEO is not a cybersecurity expert, he or she is ultimately responsible for implementing a cybersecurity plan that mitigates risk to the business. The NIST Framework is a powerful tool to facilitate implementing a strong cyber defense.”
In late April, the White House created via another executive order the American Technology Council, or ATC, to lead efforts to modernize the federal government’s networks and tackle big-picture federal information technology services.
Among the ATC's principal functions are to “coordinate the vision, strategy and direction for the federal government's use of information technology and the delivery of services through information technology.” The order allows for the ATC to function through ad hoc committees, task forces or interagency groups.
In March, the White House floated its first federal budget blueprint that included funding for the nation’s cybersecurity efforts, primarily by boosting budgets of the Defense Department and Department of Homeland Security. The funding aligns with strategies set by the White House, to including holding the heads of government agencies and departments responsible for securing agency data and networks and adopting best practices from the private sector.
Critical to securing networks is continuity, offered Brian NeSmith, co-founder and CEO of Arctic Wolf Networks, a security operations center-as-a-service company. "Cybersecurity is kind of like dieting," he said. "You can have the best plan in place, but if you don’t stick to it, you won’t see the results you want. The real test for this [executive order] will be whether the government can actually implement and stick to a rigorous plan of proactive and reactive defense mechanisms. Without that we’ll be reading more about Russian or other entities successfully infiltrating our nation’s defenses."