Trump Cyber EO Directs Pan-Government Risk Management Review
President Donald Trump signed a cybersecurity executive order Thursday that also aims to jump-start White House efforts to modernize federal IT. The EO mirrored aspects of previous drafts, including those from the original version that direct the Office of Management and Budget and the Department of Homeland Security to assess all federal agencies' cybersecurity risks and required agencies to manage their risk using the National Institute of Standards and Technology's Cybersecurity Framework. The White House ditched its original plan for Trump to sign in January (see 1701310066).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“The trend is going in the wrong direction in cyberspace, and it’s time to stop that trend,” said Homeland Security Adviser Tom Bossert on a conference call with reporters. The administration recognizes that President Barack Obama's administration made “a lot of progress” in addressing federal cybersecurity but hadn't done “nearly enough,” Bossert said.
The EO includes a revised version of previously circulated language that directs DHS and the Department of Commerce to explore ways to “promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by” botnets. Commerce and DHS would consult with the FCC, FTC, the departments of Defense and Justice, the FBI and others on that process. Commerce and DHS are directed to release a preliminary report on their findings within 240 days and a final report by May 11, 2018. A draft version of the section received mixed industry reviews (see 1702280065).
The EO mirrors the canceled January version by directing that all federal agency heads “will be held accountable” for implementing appropriate cyber risk management measures and requiring all agencies to use the NIST framework. Every agency will be required to give DHS and OMB a report within 90 days outlining the agency's cyber risks, risk management practices and plans to implement the NIST framework. DHS and OMB will assess whether an agency's risk management practices and plan “are appropriate and sufficient to manage” the agency's cyber risks.
The order intermingles White House cybersecurity priorities with its burgeoning plans to accelerate federal IT modernization, as expected (see 1704270029). The newly created American Technology Council, headed by Trump son-in-law and White House Office of American Innovation Director Jared Kushner, will coordinate work on a report on federal IT modernization. The report, due in 90 days, will evaluate the “technical feasibility and cost effectiveness” of IT modernization, including via shared IT services and consolidated network architectures, the EO said.
DHS will lead work to identify authorities and capabilities that federal agencies “could employ” to support critical infrastructure entities' cybersecurity efforts as originally identified in Obama's 2013 cyber EO (see report in the Feb. 14, 2013, issue). A report due in 180 days will detail the agencies' authorities and recommendations “for better supporting” critical infrastructure entities' cybersecurity. DHS and Commerce also will draft a report within 90 days on whether existing federal policies and practices sufficiently “promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities,” and particularly publicly traded entities, the order said.
Trump's EO also delves into the U.S.' international and military cyber strategies. DOD, Commerce, DHS and the Office of the Director of National Intelligence will assess how the U.S. can maintain or increase “its advantage in national-security-related cyber capabilities.” State, Commerce, DHS, the Office of the U.S. Trade Representative and other agencies will jointly produce a report on the U.S.' “strategic options” for cyber deterrence, the EO said. State and others will submit reports on their “international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation,” the EO said. DOD, DHS and the FBI will produce a report on cyber risks facing the U.S. military and defense industrial base.
“There has been a lot of controversy about cybersecurity” and the Trump administration, but the EO “is a significant step towards real cybersecurity risk management,” emailed Venable cybersecurity/telecom lawyer Jamie Barnett. Bossert's cybersecurity work “builds on what was done before rather that attempting to displace it,” the lawyer said. “This approach will improve cybersecurity for the government and industry as long as it is resourced and executed.”
The order's “emphasis on having agency heads in charge of cybersecurity may seem to some like a throwaway, but it's not,” said Internet Security Alliance CEO Larry Clinton in an interview. Reports that ISA receives show cybersecurity becomes an entity-wide risk management issue “when the guys at the top are taking charge of the broad cybersecurity issue,” he said: Agency heads “have not been born into” cybersecurity expertise, so they will “need to take the same sort of enterprise-wide approach to cybersecurity that corporate boards are doing.” If agency heads shift to that approach, “that will be a major change” that could significantly impact the government, Clinton said.
House Communications Subcommittee Chairman Marsha Blackburn, R-Tenn., and House Energy Subcommittee Chairman Fred Upton, R-Mich., jointly lauded the EO: “Given the importance cybersecurity plays in our daily lives, our economic well being, and its integral role in our nation’s infrastructure, we have to ensure that all federal agencies are adequately prepared and actively working to mitigate the actions of malicious actors across the country and around the globe.”
Trump's order drew widespread praise -- and some criticism -- from cybersecurity stakeholders in statements Thursday. The EO “is a positive step forward,” said USTelecom CEO Jonathan Spalter. The EO affirms “the need for continued dialogue with industry to improve the resilience of the internet ecosystem,” said CenturyLink Senior Vice President-Public Policy and Government Relations John Jones.
Access Now believes the EO's provisions “will serve as incremental changes to existing policies, while the Trump administration has otherwise either ignored or undermined pressing digital security threats internet users face,” said Policy Counsel Drew Mitnick. “The action does not touch several critical areas, like the insecurity of [IoT] devices, data breaches, or vulnerability disclosure.” The University of California, Berkeley, Center for Long-Term Cybersecurity wants the White House to “prioritize filling vacancies of key cybersecurity officials within the White House, at DHS and other federal agencies so that there is strong leadership to act on these key issues addressed” in the order, said Executive Director Betsy Cooper.