June 5, 2017 | By Holly Dragoo
President Trump issued an Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, detailing five core tenets: 1) Agency responsibility for major breaches of their respective networks; 2) Executive branch support for securing critical infrastructure networks; 3) Defense and resiliency of the civilian Internet against cyberattackers; 4) International partnership for cyberthreat information sharing; 5) Promotion of cybersecurity education and workforce development.
IISP Analyst Holly Dragoo: "Given the strife over previous executive orders, it’s not surprising to see some hype generated over this one; particularly over the clause that places accountability for the defense of agency networks squarely on the shoulders of senior executives. This is not really an unreasonable clause, however, and somewhat overdue. It may be the fastest way to see (desperately needed) widespread upgrades to network security across the government. Leadership accountability does happen already in a reactive way of sorts, with heavy media scrutiny and/or public resignations in the aftermath of a mega breach (e.g. the Office of Personnel Management hack), but marking it down as policy will force proactive changes that too often have been relegated to the back burner.
"The delay in issuing this EO, after multiple previous drafts had been leaked, was most assuredly so new White House cybersecurity advisor Rob Joyce could review and approve its verbiage. His background as a former NSA executive – with exposure to both offensive and defensive cybersecurity matters – certainly informs his perspectives well. This EO makes sense. There are no un-fundable mandates or unenforceable aspects to the EO, albeit with some lofty deterrence goals. Benign sections request informational reviews/reports from department heads and acknowledge the legitimate need for international threat sharing. Meanwhile, addressing the desperate cries for qualified industry professionals validates that the private sector was heard. Critics say the EO is all talk with no action and no funding, and that is true. Funding will be a better measure of determining what White House priorities really are in this space. Taken in the context of the stream of other EOs issued from the White House, all in all, it’s not bad or terribly disruptive for a first quarter effort on a complex topic."
For further reading
- Executive Order: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal