President Trump today finally signed a long awaited Executive Order (EO) on Cybersecurity, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the April 27 draft of which Homeland Security Today first reported last week, and which sources familiar with the then draft EO told Homeland Security Today Trump was expected to sign this week.
With the exception of "minor language edits" in the final EO signed today, "all of the content remains the same" as the April 27 draft Homeland Security Today first reported, one of the sources familiar with the EO told Homeland Security Today shortly after Trump’s signing of the order was announced.
The Department of Homeland Security (DHS) said today the EO “follows through on a key campaign promise made to the American people. It reaffirms the important role DHS plays in strengthening the security and resilience of federal networks and the nation’s critical infrastructure.”
“Our nation’s economic and national security rely on a safe, secure, and reliable cyber space,” said DHS SecretaryJohn F. Kelly.“DHS has long been a leader in protecting our nation against cyber threats and this executive order reaffirms our central role in ongoing cybersecurity efforts. We have developed strong operational relationships with our government partners to protect federal civilian networks and have established trusted partnerships with the private sector to improve the cybersecurity of the nation’s critical infrastructure.”
The EO, which builds on DHS’s legal authorities, directs the department to assess and report on a number of key actions in order to secure federal networks. While each department or agency is responsible for the cybersecurity of its networks, DHS leads these efforts and ensures a baseline level of security across the civilian executive branch. The EO bolsters this work by:
- Directing agency heads to immediately use the National Institute of Standards and Technology (NIST) Cybersecurity Framework for risk management, and to provide within 90 days a risk management report to DHS and the Office of Management and Budget (OMB) on the implementation of the framework and risk management strategies employed by the department or agency;
- Directing DHS and OMB to assess federal agencies’ cybersecurityrisk management strategies in order to determine the adequacy of cyber protections across federal networks and identify any unmet budgetary or policy needs;
- Directing DHS and OMB to provide a plan to the president, within 60 days of receiving the agency reports, on how to protect the executive branch enterprise; and
- Directing DHS and other agencies to provide the president with a report within 90 days on the technical feasibility to transition all agencies to one or more consolidated network architectures and shared IT services.
DHS said the EO “also enhances the department’s ability to support the cybersecurity efforts of the nation’s critical infrastructure owners and operators.”
This includes:
- Directing DHS to lead the coordination with other departments and agencies to identify federal resources and capabilities best suited to protect critical infrastructure where a cyber incident could have catastrophic effects;
- Directing DHS and the Department of Commerce to provide a report within 90 days to the president on how best to promote market transparency of cyber risk management practices by critical infrastructure entities;
- Directing DHS and the Department of Commerce to lead efforts to improve the resilience of the nation’s core communications infrastructure; providing a preliminary report within 240 days and a final report within one year;
- Enhancing DHS’ partnership with the Department of Energy to assess the resilience of the electric grid and provide an assessment within 90 days of any gaps in the security of the nation’s electric subsector; and
- Directing DHS, Department of Defense and FBI to provide a report within 90 days to the president assessing the cybersecurity of the defense industrial base.
DHS said, “The Internet is part of the underpinning of the American economy, and the Executive Order affirms that it is the policy of the United States to promote an open, interoperable, reliable and secure Internet. In furtherance of this policy, the Executive Order:”
- Directs an interagency team, including DHS, to submit a report within 90 days to the president on the nation’s strategic options for deterring adversaries and better protecting the American people from threats in cyberspace;
- Directs an interagency team, including DHS, to submit a report within 45 days on international cybersecurity priorities; and within 90 days of the submission of the priorities report, develop an international cybersecurity engagement strategy; and
- Directs DHS and Department of Commerce to lead coordination with other agencies and submit a report within 120 days the findings and recommendations to support the growth and sustainment of the nation’s cybersecurity workforce.
“Strengthening the security and resilience of cyberspace is an important part of the homeland security mission,” DHS said, noting, “The president’s Executive Order builds upon existing capabilities and authorities while strengthening the department’s ability to carry out its mission of protecting federal networks, supporting critical infrastructure owners and operators, and ensuring an open and reliable Internet for all Americans.”
As Homeland Security Today first reported, the EO says it is now policy that, “The President will hold accountable heads of executive departments and agencies for managing cybersecurity risk to their enterprises.”
“In addition,” the EO states that “because risk management decisions made by agency heads can affect the risk to the executive branch as a whole and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.”
When it comes to risk management, the EO states, “Agency heads will be held accountable by the President forimplementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data. They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code.”
“Effective immediately,” the EO reads, “each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework), or any successor document, developed by the National Institute of Standards and Technology to manage the agency’s cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the OMB within 90 days of the date of this order.”
The EO states, “Cybersecurity risk management comprises the full range of activities undertaken to identify and protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data and to mitigate the impact of, respond to, and recover from incidents. Information sharing facilitates and supports all of these activities.”
The EO also states that, “The executive branch has for too long accepted antiquated and difficult–to-defend IT,” adding, “Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements and modernization occur in a coordinated way and with appropriate regularity.”
The EO also states, “Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies. Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch or failing to execute security specific configuration guidance.”
“Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources,” the EO states.
In the EO’s section, "Assessment of Electricity Disruption Incident Response Capabilities," the Secretary of DHS, “in coordination with the Secretary of Energy and in consultation with state, local, tribal and territorial governments and others as appropriate, shall assess:
- “The potential scope and duration of a power outage associated with a significant cyber incident, as defined in Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination), against the United States electric subsector;
- “The readiness of the United States to manage the consequences of such an incident; and
- “Any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.”
The assessment would be required to be presented to Trump, through the Assistant to the President for Homeland Security and Counterterrorism, within 90 days of the date of Trump’s signing of the EO, “and may be classified in full or in part, as appropriate.”
“The Cybersecurity Executive Order is certainly a positive step forward in better securing federal networks and critical infrastructure,” Homeland Security Today was told last week by an authority familiar with the then draft EO. “I believe this Executive Order was worth the wait, as it supplies specificity and asks key questions from federal agency heads on potential gaps, budget shortcomings and the ability to respond and recover from threats. The EO requires federal agencies use the NIST Framework for Improving Critical Infrastructure Cybersecurity and provide a risk management report within 90 days that highlights mitigations and risk acceptance choices.”
“The acknowledgement of risk acceptance is also significant,” the authority said, noting, “Within all IT systems, we have the ability to accept, avoid, mitigate or transfer risk. Most organizations do not like to discuss risk acceptance and the White House will likely be very cautious on what they consider acceptable. The budget discussion is a major part of this Executive Order as evidence by the language, and recent discussion coming out of the White House to invest heavily in modernizing government technology and sharing cybersecurity services between agencies.”
“As we saw in early drafts, the Department of Energy, as the electricity Sector Specific Agency, within 90 days must compile a report that highlights the readiness of the United States to manage the consequences of a significant cyber incident resulting in a power outage, and any gaps or shortcomings in the subsector to mitigate an attack,” the authority told Homeland Security Today. “Electric utilities are well positioned to provide input for this report. The NERC Grid Security Exercise (GridEx) is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event. I would strongly recommend the Department of Energy reach out to NERC, utilities and industry trade associations to compile their findings as many lessons-learned have already been documented and acted upon.”
Continuing, the authority said, “I was very encouraged to see that within 120 days of the order, a report will be provided with findings and recommendations regarding how to support the growth and sustainment of the nation’s cybersecurity workforce in both the public and private sectors. In a world of constant cyber attacks and massive data breaches, cybersecurity is more important today than ever before. As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow. Many organizations are desperate to find qualified security professionals and fill key staff positions. Promoting professional education, training and STEM classes will start to bridge the cybersecurity workforce gap.”
US Chamber of Commerce President and CEO Thomas J. Donohue said of the EO that, “With this executive order the new administration has signaled a commitment to bolstering our nation’s cyber defenses and emphasized the important role public-private partnerships can play in doing so, which has long been a top priority of the business community."
“We look forward to engaging administration officials on advancing collaborative and flexible approaches to reducing cyber risks, including streamlining the bureaucratic hurdles and red tape that impede businesses’ efforts to secure their devices and networks in dynamic ways," Donohue said, adding, "we stand ready to partner with the administration on building capacity and trust in regards to real-time information sharing between government and industry. By working together we can better secure our nation’s networks, which are critical to our national and economic security."
“Lastly," he stated, "we are pleased the order spotlights increased adherence to norms and deterrence. We are eager to work with policymakers to explore ways to reduce the benefits of conducting harmful cyber activity against the business community and the nation, and position the US as a leader in effective cybersecurity policy.”
Senator Claire McCaskill, the top-ranking Democrat on the Senate Committee on Homeland Security and Governmental Affairs, said today, “I was pleased to see President Trump’s Executive Order on cybersecurity and believe that we need to continue aggressively addressing this emerging threat. I stand ready to work with the President and his Administration on essential efforts to strengthen thefederal government’s cybersecurity and to protect our communities, businesses, and institutions from cyberattacks.”
Gregg Smith, CEO of Silent Circle, said, “There are many things about this cybersecurity Executive Order that I like. President Trump is making it clear that he will be holding the heads of the agencies accountable for managing cybersecurity risk to their enterprise. He has given them a directive to use the NIST framework for this management of risk, which has been widely adopted in the commercial world and seems to provide a solid baseline. Additionally, the president is asking for a renewed coordination and cooperation between agencies, requesting that they work together on this problem. As is stands today, each agency seems to be going about the management of cybersecurity risk in their own way, which is wasteful given that similar threats and vulnerabilities effect each agency.”
“Looking for action in 90 days is extremely atypical of government, and it is encouraging how quickly the president will be requiring the heads of agencies to put these new directives in place,” Smith said, adding, “Calling out the need for collaboration with allies to determine best of breed technologies and methods for managing cybersecurity risk is very smart – we have many allies that excel in cybersecurity and working together to strengthen our own is a great idea. I was also pleased to see that the Executive Order called out the need to protect critical infrastructure.”
However, Smith said, “I was disappointed to only see talk of network and infrastructure and no mention of mobile devices While mobile can be interpreted as IT infrastructure, I believe that its pervasive use in all branches of government among employees and leadership, coupled with the known vulnerabilities across the mobile ecosystem make the non-mention a gaping hole.”
Bob Stevens, vice president of Federal for Lookout, said, “President Trump today echoed many of the key policy recommendations that Lookout sees as critically important for our nation’s cybersecurity in his administration’s executive order. Lookout is encouraged by this renewed focus on risk management and would specifically like to highlight the urgent need to prioritize mobile security in order to protect information across individuals and government agencies.”
“The executive order states the need for improved risk management processes that incorporate advancements in technology,” Stevens said. “Simply put, the administration acknowledges that known vulnerabilities are one of the highest risks faced by agencies. We know that in order for this executive order to be a success, securing and mitigating mobile risk is essential. We support the administration’s emphasis on risk management and the Lookout team looks forward to partnering with public and private sector to further advance the mobile security of the federal government.”
McAfee Senior Vice President and Chief Technology Officer Steve Grobman, said, “The Trump administration is right to prioritize securing the federal government’s systems and networks. Getting the government’s own cyber house in order is job one, and holding agency and department heads accountable is key. This is no different than the paradigm we see in corporate organizations where, although the CEO is not a cybersecurity expert, he or she is ultimately responsible for implementing a cybersecurity plan that mitigates risk to the business. The NIST Framework is a powerful tool to facilitate implementing a strong cyber defense.”
“Likewise,” he said, “directing policymakers to work collaboratively with critical infrastructure companies to understand what they need to better secure themselves is the correct approach. We support a model in which the government treats the private sector as a customer with the government acting as a service provider.”
“Additionally, we’re pleased the order takes on the challenge of IT modernization, which must go hand-in-handwith securing federal systems,” Grobman said, noting, “Trying to implement security on old, often obsolete technology is both difficult and expensive, and with limited IT talent available would be throwing good money after bad. Modernizing and securing government systems and networks are dual priorities that should have equal weight and are both long overdue; we welcome the administration’s focus on both.”
Finally, Grobman said, “The order addresses other key areas as well, including the cyber workforce shortage – a challenge we all face, but which is particularly acute in the federal government. With the workforce shortage predicted to reach 1.8 million by 2022, we welcome the focus on filling the cybersecurity skills gap. Machines and automation will compensate for some of the deficit, but we will still need skilled analysts for the most sophisticated, high-level tasks.”
Mike Shultz CEO at Cybernance (a NIST-compliant cyber governance platform designated by DHS), said, “This executive order marks a dramatic cultural shift in way the federal government is looking at cyber security. Currently, all federal agencies have their own cybersecurity processes in place to protect their own systems. However, critical information is leaking on a constant basis. Trump’s order mandates that the security of federal agencies has to be controlled on an entire enterprise level—instead of building security protocols for specific systems, all people, processes, and policies within the agency must be analyzed and reported on.”
Shultz said, “What’s the difference with this EO vs. actions that the Obama administration took? First, we’ve never had an executive order require all federal agencies to apply NIST to their entire organization.We’ve never had a mandate that requires agencies to build a comprehensive risk and mitigation report for their organization and then report to the president of the Department of Homeland Security and the director of the Office of Management and Budget. The 90-day deadline is a huge lift for an order that requires a cultural shift down to the DNA level of how we view cyber risk.”
“Kudos to the Obama administration for being a central force in the development of the NIST Cyber Security Framework that President Trump’s executive order now requires federal agencies to use. This executive order lights an intense fire under agency heads to be in compliance, and fast,” Shultz concluded.
Edgard Capdevielle, CEO of Nozomi Networks, also applauded the EO, saying, “Section 2 of the order focuses on critical infrastructure and in particular, the electricity grid. It is encouraging to see the federal government take action that increases the urgency for improving and ensuring the reliability of the power supply within the US Electric Utilities and other critical infrastructure operators should know that recent advances in technology can improve the cyber security risk management efforts called out in this Executive Order. Innovations such machine learning and artificial intelligence enable real-time monitoring and anomaly detection that offer critical infrastructure operators better tools to manage cyber risk and minimize disruptions.”
Mocana CEO Bill Diotte added, “This executive order puts a welcome spotlight on the cybersecurity issues plaguing our nation’s IT infrastructure. We’ve seen reports like this in the past that only serve to generate more reviews, as opposed to action, and we’re no safer because of it. Our hope is that the president is going to hold people accountable for what’s outlined in the order so that we see real change. Although we would have liked to see more explicit language dealing with IoT security, we look forward working with federal customers and industry partners to help manage the rising risk of attacks against critical infrastructure that would cripple our communities.”
