A new executive order from the White House could help the U.S. defend against future cyberattacks, much like the one currently affecting 150 countries.
President Donald Trump signed the order Thursday after a series of delays, but it was ultimately overshadowed by the worldwide ransomware attack that hit thousands of computers across the globe.
The order is just 10 pages long, but covers a lot of ground. Specifically, it looks at cybersecurity policy in three areas: the government, critical infrastructure, and the nation as a whole.
The executive order starts by squarely stating that the head of every agency “will be held accountable” for managing cyber risks.
Each agency is to develop a risk management report that lays out how it is managing cyber risks, what risks the agency is willing to accept, and how it came to those conclusions.
In the report, each agency must also detail how it intends to comply with the Cybersecurity Framework developed by the National Institute of Standards and Technology, essentially a set of best practices for cybersecurity.
Once the reports are submitted, the Department of Homeland Security and the Office of Management and Budget will review them and “determine whether the risk mitigation and acceptance choices … are appropriate.”
These two departments will then develop a plan to address shortfalls and adjust existing federal information security practices to the greatest extent possible.
The president’s executive order also takes a detour from the nitty-gritty details of risk management, the Federal Information Security Management Act, and the institute’s framework, to tackle the challenge of streamlining information technology.
Government computer systems are known for being outdated and having a glacially slow-paced budget and acquisitions process. To mitigate this problem, the executive order directs agencies to prioritize shared IT services—such as the cloud—in their procurement.
The order also asks for a study on the costs, benefits, and obstacles involved in consolidating government IT systems and using shared IT services, with some obvious exceptions for intelligence and security organizations.
On critical infrastructure, the executive order starts by reaffirming President Barack Obama’s Executive Order 13636.
This executive order called specifically on the agencies responsible for the security of parts of the nation’s critical infrastructure to identify the authorities they have on cybersecurity, and how they can effectively bring them to bear.
Moving beyond this, the president’s order seeks to create a forum in which government and the private sector can more closely work together in combatting attacks by botnets—attacks that use groups of infected computers and devices around the world to carry out the hackers’ objectives.
This makes sense in the wake of last year’s cyberattack that turned household electronics into tools for hackers.
This section of the executive order also requests an assessment of the effects that a massive cyberattack would have on the electric grid, as well as the ability of the U.S. to manage and mitigate the effects of such an attack.
Similarly, the order also calls for a report on current threats to the defense industrial base and U.S. military systems—including supply chain security—and how those threats can be handled.
Nation as a Whole
Lastly, the order turns toward the security of U.S. systems writ large. It seeks to understand the options available to the administration in order to deter foreign adversaries in cyberspace, and to work closely with allies to improve our security posture.
So far, the U.S. has been relatively slow to retaliate against nation-state hackers and their criminal accomplices. By requesting a report on how the U.S. can deter enemies and work with allies, this order will prepare the administration to more aggressively defend U.S. networks.
The order concludes by asking for an assessment of the U.S. cyber workforce, whether existing education efforts are supporting the development of this workforce, and what other countries are doing to develop and attract a skilled cyber workforce.
From government IT to deterring nation-states, Trump’s executive order on cybersecurity portends a methodical, yet disruptive, approach to cybersecurity. It calls for the tools needed to ground the administration in the facts and in the options available to it.
Most strikingly, the order appears to call for new ways of doing things. Time will tell if these efforts are successful, but this executive order is a start down the right path.