Cybersecurity , Risk Management
Secretaries, Directors to Be Held Responsible for Their Agencies' IT Security
President Donald Trump at his desk in the Oval Office.(This story has been updated.)
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
President Donald Trump has signed a long-awaited executive order that places responsibility for cybersecurity on departmental secretaries and agency directors and emphasizes the use of risk management throughout the federal government to secure digital assets.
"Because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise," says the executive order, issued May 11. "Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources."
A Critical First Step?
Making agency heads responsible for IT security is "a critical first step as it places the onus on each agency head to make sure cyber is part of their mission," says Viewpost Chief Security Officer Christopher Pierson, a member of the Department of Homeland Security's data privacy and integrity advisory committee. "The one throat to choke for accountability for federal cybersecurity is now clear."
But Robert Bigman, an IT security consultant who was a long-time CISO at the CIA, contends the executive order lacks specificity that's needed to secure government IT. "This EO does very little to move the ball forward," he says. "Government agencies need specific/detailed direction ... on minimum cybersecurity responsibilities."
And Nok Nok Labs CEO Phil Dunkelberger says he doesn't see much new in the executive order. "It is a continuation of what we've already been doing and in many cases failing," says Dunkelberger, former CEO of PGP. "The industry/government needs a revolution. ... We have made strides, the question is, are we moving fast enough? Unfortunately, the threat factors around us are evolving at a much faster pace. We need to be much more assertive and aggressive as our adversaries aren't playing by any rules."
The executive order, prepared after the release of several earlier drafts, also calls for the modernizing of federal information technology. New technologies are seen as more secure than older ones. The modernization program will be led by the American Technology Council headed by Jared Kushner, Trump's son-in-law and assistant to the president.
Key Provisions
Among other provisions, the executive order calls for:
Requiring each federal agency to use the cybersecurity framework developed by the National Institute of Standards and Technology (see NIST Issues Draft of Revisions to Cybersecurity Framework ); Identifying federal capabilities that could be used to help companies that operate portions of the nation's critical infrastructure to defend their information systems and data; Promoting processes to improve resilience of the internet and communications ecosystem to dramatically reduce threats perpetrated by botnets; Assessing electricity disruption incident response capabilities; and Identifying risks facing the defense industrial base.Safeguarding the Weakest Link
"The focus on the defense supply chain is an important recognition that cyber attackers target the weakest links," says Jacob Olcott, BitSight Technologies' vice president and former cybersecurity staff leader on the Senate Commerce Committee. "Managing third-party risk has been a major focus for the private sector, and it's smart that the EO prioritizes this initiative for the DoD."
The executive order calls on the secretaries of commerce and homeland security, working with other agencies, to assess the scope of efforts to train the American cybersecurity workforce, including cybersecurity-related education curricula, training and apprenticeship programs, from primary through higher education.
It also directs the director of national intelligence to review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness.
"One key to this [executive order] is a robust federal cyber R&D program through the academic community to educate and cultivate a pipeline of next-generation computer scientists and front-line defenders, as well as the tools and technologies to support them," says Signal Group Executive Vice President Greg Garcia, a former DHS assistant secretary for cybersecurity and communications.
Range of Deadlines
Most of the provisions are stated as directives requiring specific agencies to report to the president within certain deadlines that range from 45 to 240 days.
"The United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace," the executive order says.
The original draft of the executive order had called for the military to play a more active role in protecting federal government and critical infrastructure information technology, but was excised in later drafts and the final version because of the widespread belief among many stakeholders that civilian cybersecurity shouldn't be overseen by the defense department (see Revised Cybersecurity Executive Order Seen as More Moderate ).