Will Trump’s cyber-security Executive Order work?

Jerry Bowles Profile picture for user jbowles May 11, 2017
It's been a busy week for President Trump, what with sacking the FBI Director, hosting a Russian government photo opp in the Oval Office, as as personally inventing a business phrase that dates back to the Great Depression. But there's still time for another Executive Order, this time around cyber-security.

Another day, another Executive Order

US President Donald Trump on Wednesday signed a long-promised executive order on cyber security, the administration’s first major action to address the cybersecurity of federal networks and systems that operate critical infrastructure.

It comes after a presidential campaign dominated by months of news stories related to cyber security, including the hacking and subsequent leaking of Democratic National Committee emails as part of a cyber attack on the American election.

The order is similar to a draft circulated weeks ago, but delayed to allow the White House time to put together a budget wish list for next year and to announce the formation of the American Technology Council (ATC), a group of agency heads and federal executives whose mission is to “coordinate the vision, strategy and direction” of IT across government and provide advice regarding its use. The President will himself chair the Council. The new order reads, in part:

The executive branch has for too long accepted antiquated and difficult–to-defend IT. Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.

The new Executive Order calls on agencies to adopt the National Institute of Standards and Technology framework and includes language on increasing cybersecurity of federal networks, securing critical infrastructure, deterring cyber threats and building international alliances. The guidelines in the past were something the government asked the private sector to implement, but had not enforced the guidance within the government itself. The order reads, in part:

Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order.

White House homeland security and counterterrorism advisor Tom Bossert stressed the interconnection between cybersecurity risk management and IT modernization during a press conference:

We spend a lot of time and inordinate money protecting antiquated and outdated systems. We saw that with the [Office of Personnel Management] hack and other things. … We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture.

Another key part of the order directs agency heads get more involved in managing risk by assuming direct responsibility for cybersecurity at their agencies and to provide the White House and Department of Homeland Security with risk mitigation assessments as part of a new federal enterprise risk management approach. Agencies will be required to identify both existing risk and known unmitigated risk.

Maybe the toughest challenge in the tasks outlined in the order is the direction that agencies to work together to centralize risks so the entire government IT infrastructure can be viewed as a single enterprise network. It urges government agencies to share more IT infrastructure, such as financial and human resources systems, which can save money as well as make cyber protections easier to implement.

Within 90 days, the director of the American Technology Council must submit a report on the feasibility of standardizing and consolidating the shared IT services across the government.

My take

Like many of the Executive Orders issued by the Trump White House since January 20, this one reads more like a plan to develop a plan than an actual blueprint.

If the new American Technology Council—with the President as its Chairman--becomes the main focal point of federal modernization, cybersecurity, and risk management as envisioned, and doesn’t get distracted by political or bureaucratic issues, it could make the coordination of a new safer, modernized IT vision across the government an achievable goal.

Requiring agency heads to be more accountable for the security of their own apps and data and urging them to move toward shared services could save money and make the task of securing federal networks more manageable. Unfortunately, there are simply not enough details yet to gauge how well the vision will work in the real world.

The American Technology Council is just taking shape and nobody can safely predict how much attention President Trump will actually pay to it. The order follows what U.S. intelligence agencies say was a wide-ranging influence operation intended to help Trump win the White House and defeat his challenger, Hillary Clinton—an assessment only grudgingly accepted by Trump since he became president.

Missing too is the role of private companies in achieving the order’s goals, which, one assumes, would have to be a major part of both the modernization and cybersecurity efforts. Bottom line: the devil will be in the details.

A grey colored placeholder image