After months of rumors and leaked drafts, and amid another week of White House controversy that included the firing of FBI Director James Comey, President Donald Trump signed an executive order on cybersecurity.
This executive order isn’t expected to incite as much controversy Trump’s previous orders, such as those on immigration, and cybersecurity experts don’t expect much to change.
“First and foremost, what’s happening in cyberspace is not working,” Oren Falkowitz, CEO of Area 1 Security and former NSA analyst, told The Parallax. He points to breaches like those the Office of Personnel Management and the Democratic Party recently suffered as events the Trump administration should heed.
“This is recognition of the need to create more cohesion and consolidation between agencies,” he says.
In his cybersecurity executive order, Trump does two things differently from his predecessors. He calls for federal-agency leaders to be held accountable for attacks on their networks. He also mandates that federal agencies follow the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity in developing risk management, created following President Obama’s 2013 cybersecurity executive order.
The order could change how the U.S. government handles cybersecurity risk, as the NIST framework undergoes revisions to include vulnerability disclosure management policies.
Trump also ordered federal departments to complete a review of agency cybersecurity defenses within 90 days, focusing on “risk mitigation and acceptance choices,” with the goal of addressing potential issues such as funding and sharing technology across departments.
Divided into three sections, the order provides guidance for how the federal government should move forward with cybersecurity concerns in the next year.
The first section focuses on adhering to NIST Framework standards in the Executive Branch.
The second section seeks to further develop communication about securing critical infrastructure from the operators of those facilities. Although the Department of Homeland Security said in January that critical infrastructure includes elections, the order did not mention securing electronic voting machines or other election-related devices.
The final section demands a report within 90 days from eight executive department heads on how to improve protection of America from cyberthreats. It demands that within 90 days, the secretary of state “issue a report on how to improve international cooperation on cybersecurity.” And it asks department heads to evaluate how to improve training of America’s cybersecurity workforce.
Trump follows in a tradition of presidents criticizing the defensive cybersecurity abilities of the Executive Branch. Last year, President Obama famously said in a Wall Street Journal column announcing a federal initiative to modernize the government’s use of technology that “government IT is like an Atari game in an Xbox world.”
Demanding reports and accountability, of course, doesn’t necessarily translate into action. Modernizing the federal government’s approach to cybersecurity might prevent another OPM-scale breach, thus making the investment worthwhile, but it won’t happen quickly, says Falkowitz.
“We know the cost that we’re really curbing is unquantifiable when things go right,” he says.
The order, which builds largely on cybersecurity initiatives set in motion by the Obama administration, is garnering some criticism. Chris Wysopal, CTO and co-founder of software security evaluation company Veracode, bemoaned the lack of emphasis on securing the software supply chain, which affects vendors as small as a garage startup and as large as Facebook.
“Government acquisition should be following the lead of the financial sector and assessing the software purchased to insure it was built with modern secure development practices,” Wysopal said in an email. “What is the point of modernizing IT so it is more secure, if you don’t hold vendors accountable for delivering technology that is more secure out of the gate and is easier to maintain securely?”
Congressman Jim Langevin, co-founder and co-chair of the Congressional Cybersecurity Caucus, said in a statement that he is “deeply concerned” by open cybersecurity positions in the Trump administration at the Defense Department and Homeland Security.
“The EO contains important guidelines for improving our cybersecurity posture,” the Rhode Island Democrat said, “but without personnel to implement it, I am afraid our nation will continue to be at risk.”