Trump Issues Cybersecurity Executive Order

On May 11th President Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Executive Order was announced and explained by Tom Bossert, President Trump’s homeland security adviser  (see below).


1. The EO Calls for Modernizing Federal IT in Shared Systems Using the Cloud

This is an important priority given that a recent report found that 77.7 percent of proposed agency IT budgets for fiscal year 2017 were for legacy operations and maintenance, with the remaining sliver dedicated to systems development and enhancement.

Bossert stated

We spend a lot of time and inordinate amount of money protecting antiquated and outdated systems. We saw that with the OPM hack and other things.  From this point forward, the President has issued a preference in federal procurement in federal IT for shared systems. We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture.

2. The EO Calls for Government Wide Risk Assessment Using the NIST Framework for Improving Critical Infrastructure Cybersecurity

The executive order requires that all federal agencies adopt the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST) under President Obama. The framework was developed by experts with input from the private sector, as well as the public, and is described as “a common language for understanding, managing, and expressing cybersecurity risk both internally and externally.”  The Obama administration had encouraged the private sector to adopt the voluntary NIST framework but did not require government agencies to do so.

3. The EO Seeks to Hold the Private Sector Accountable

The EO provides that

The Secretary of Homeland Security, in coordination with the Secretary of Commerce, shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days of the date of this order.

The idea being to potentially pressure or shame publicly traded “critical infrastructure entities” who are security laggards, but the problem is that many such entities are not publicly traded.

4. The EO Seeks to Address the Shortage of Cyber Security Professionals

According to McAfee CTO Steve Grobman, there is a shortage of computer security experts in the U.S that is predicted to reach 1.8 million by 2022. “It’s true in the private sector and it’s especially true in the government. ”

One of the many reports called for by this EO is to “assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future” and report on “how to support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.”

5. Criticisms

While the report was generally well-received and largely viewed as a continuation of Obama administration efforts, the EO has been criticized as “a plan to make a plan” without any funding commitments.

Daniel Castro, President of the think tank Information Technology and Innovation Foundation noted that Obama administration had

left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order. While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.

As detailed below, the Order calls for a series of reports from which further action will be taken.  The deadlines are highly optimistic, as nobody believes that the Trump Administration can complete a government wide cyber risk assessment in 90 days.

Mike Shultz, CEO of Cybernance noted that applying the NIST Framework to the federal government with a 90-day deadline, “is a huge lift for an order that requires a cultural shift down to the DNA level of how we view cyber risk.”

The order is below.