Last week, President Trump signed an executive order (EO) designed to strengthen national cybersecurity and critical infrastructure. The EO focuses on the modernization of the federal information technology (IT) network and national cybersecurity risk management. While the order does not specifically address private-sector business procedures, companies will likely be forced to adjust operations in response to cybersecurity risks.
Modernization of Federal IT
To promote IT modernization, the EO specifically directs agencies to “show preference” for shared IT services including email and cloud services, requests strategies to reduce threats from botnets, and seeks a plan to help secure critical infrastructure. As a part of the modernization process, the order states that agency heads will be held accountable for promulgating cybersecurity initiatives and adequately protecting and managing cybersecurity risks. The tone of accountability woven throughout the order is particularly noteworthy, as the order suggests that President Trump may be much more interested in holding senior officials personally accountable for cybersecurity failings than were past presidents.
Although most of these modernization efforts will take time, one immediate effect from the order is that each agency is now explicitly required to follow the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST). Notably, the EO does not include the language, “at a minimum” preceding that requirement. By excluding that language the order potentially disincentives, or at least fails to incentivize, agencies from exploring security policies and procedures beyond what NIST requires.
In order to implement such an extensive modernization effort, there are legitimate budgetary concerns. To help address this issue, the Secretary of Commerce, among others, are charged with reporting on the budgetary considerations involved with the federal transition to a secure and shared IT service. However, it is unclear how the new budgetary requests will be managed by Congress and whether budget cycles and associated processes will impede the expedited reforms that the President is seeking.
The order seeks to determine to what extent the country is prepared for and could respond to a prolonged cyber incident. As a part of the information gathering process, the EO requires several difference agencies to prepare reports which are due within 45 to 240 days; most of the reports are due within the next 90 days. These reports include:
- addressing the country’s strategic options for deterring adversaries and protecting against cyber threats;
- the assessment of cybersecurity-related education, training, and apprenticeship programs;
- the sufficiency of existing policies to promote market transparency of cybersecurity risk management practices by critical infrastructure entities;
- the potential scope and duration of a prolonged power outage associated with a significant cyber incident; and
- the cybersecurity risks facing the defense industrial base and recommendations for mitigating those risks.
While the relatively short 90-day reporting deadline illustrates a sense of urgency on this matter, it does raise the concern that agencies may be forced to rely on existing perspectives and information or to generate relatively cursory analysis rather than engage in comprehensive studies of the matters outlined in the order.
The EO does not fundamentally change U.S cybersecurity policy but it does lay the groundwork for changes to future policy initiatives. The seriousness of implementing new cybersecurity policy, especially the EO’s request for deterring advisories, was unfortunately reinforced by the unprecedented global ransomware attack as well as the Federal Communications Commission falling victim to a distributed denial-of-service attack. Given the increasing regularity of cyber disruptions, the administration is likely to continue focusing on this issue throughout the year.