Trump Cyber EO Good but Lacks State, Local and International Perspective, Say Experts
President Donald Trump's May executive order aimed at improving the resilience of the internet and communications ecosystem was given good marks by cybersecurity experts at a New America Open Technology Institute event Friday, but they said the order (see 1705110058) fell short in several areas, including giving state and local governments a role and developing a broader international alliance.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The order showed a growing understanding that government has a role in setting standards, New Jersey Chief Technology Officer David Weinstein said, but it didn't emphasize state and local governments, which are a "more target rich environment" than the federal government and possess more valuable data. "If we're really going to take a national approach to cybersecurity we need to look beyond the federal government," he said. Weinstein also wants "significant reform" to the federal grant system, which he said is "antiquated" and underfunds some states.
Palo Alto Networks Chief Security Officer Rick Howard said the order lacks an international viewpoint. He said criminal and terrorist organizations built infrastructures in countries where the U.S. has no law enforcement relationship: "We can't easily go in and say, 'Why don't you just unplug that because it's attacking everybody.'" He said there needs to be a way to create an international coalition in areas of agreement. Gabe Galvan, executive director of Mitre's Global Initiatives, said some U.S. agencies with strong interests in protecting cybersecurity assets may need to think about rebranding themselves from an entity with subpoena power, which might frighten stakeholders, to one that's part of a cooperative community.
Kiersten Todt, former executive director of the Commission on Enhancing National Cybersecurity -- which released a report in December on improving cybersecurity (see 1612020050, 1612050044 and 1612060049) -- said the executive order is a "demonstration of thoughtful government action." She said the May order was different from one that came out in January because it incorporated feedback from the private sector. She said its focus of cybersecurity in the context of risk management was "quite a significant advancement."
Todt, now president of risk management firm Liberty Ventures Group, also said the government needs an efficient classification system because classifying data is "used as an excuse just to protect information that government hasn’t truly organized." She said senior industry leaders wait so long to get government clearance that by the time they get into a briefing "they’re like, 'I know this.'" The challenge is to develop a system that classifies information that needs to be protected but allows other information to be distributed more quickly.
The New America event participants discussed public-private sector cooperation in cybersecurity, including in information sharing and in other areas. Todt said information sharing is mainly a "byproduct of trust," something the panelists said can be developed by stakeholders getting to know one another personally. Panelists cited the need to develop a better cybersecurity workforce, including educating students from an early age, because there's a shortage of skilled workers, and to create IoT standards led by industry.