Trump Administration's Cybersecurity Executive Order Smartly Builds On Previous Efforts

May 16, 2017

Last week, the Trump Administration released its long awaited Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (“Cybersecurity EO” or “Executive Order”). The Order launches significant reviews of the federal government’s digital vulnerabilities, existing efforts to protect critical infrastructure, and the development of the “cyber workforce”, and focuses on three separate areas of cybersecurity improvement: federal networks, critical infrastructure, and the United States as a whole.
The new Cybersecurity Executive Order is a promising first step for the new White House’s digital security agenda. CCIA is encouraged by the new order’s efforts to build on existing policies that have already been shown to be effective, particularly the reliance on the NIST Cybersecurity Framework to shape risk management in federal digital systems, and the appropriate deference to the carefully scoped definition of which sectors are considered critical infrastructure.
In the case of federal networks, the Executive Order requires that the heads of federal agencies look to the risk-management standards and best practices found in NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which was initially produced pursuant to President Obama’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Those agencies must also produce a report to document their risk mitigation and acceptance decisions, and include their plans for implementing the NIST Framework. Lastly, the executive branch and federal agencies must show preference in procurement for “shared IT services” in their effort to “build and maintain a modern, secure, and more resilient” IT architecture.
The 2013 Executive Order on critical infrastructure again provides the basis for the Trump Administration Order’s directives in that space. The new Cybersecurity EO orders federal agencies to identify how they can better support the security efforts of critical infrastructure, as defined by Section 9 of President Obama’s 2013 order as those sectors where “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Importantly, no “commercial information technology products or consumer information technology services” can be designated as critical infrastructure under either executive order.
Finally, Section 3 of the new EO addresses “Cybersecurity for the Nation”, encompasses consumer cybersecurity and workforce issues. Encouragingly, the EO’s goal for national cybersecurity is to promote an “open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.”
To ensure the Internet retains these important characteristics in the future, federal agencies are to report on the Nation’s strategic deterrence options online, while the Departments of State, Commerce, Defense, Treasury, and Homeland Security are to identify their international priorities, which will be turned into a strategy international cooperation in cybersecurity by the State Department. The EO concludes by turning to relevant agencies to assess the readiness of the American cybersecurity workforce, the workforce development of foreign “cyber peers”, and U.S. efforts to maintain or increase its advantage in “national-security-related cyber capabilities.”
CCIA looks forward to working with the Administration as it continues in its efforts to ensure that the Internet remains “open, interoperable, reliable, and secure.”

Related Articles

New EU Cybersecurity Rules Are Well-intended, but Introduce Unnecessary Red Tape

Sep 15, 2022

Brussels, BELGIUM – The European Commission presented today a new Cyber Resilience Act (CRA), seeking to create extensive approval processes that a wide range of digital products and services would have to undergo before they can be sold and used on the EU market. The Computer & Communications Industry Association (CCIA Europe) supports the Commission’s…

CCIA, 10 Associations, Groups Warn Senate Judiciary Leaders EARN IT Bill Would Make Internet Less Safe, Weaken Ability To Remove Illegal Content

Feb 9, 2022

Washington – The Senate Judiciary Committee is scheduled to mark up the “Eliminating Abusive and Rampant Neglect of Interactive Technologies” (EARN IT) Act on Thursday, which would weaken the law companies rely upon to address objectionable activity online, commonly referred to as Section 230, in a misdirected effort to combat child sexual abuse material (CSAM)…

Study Offers Reasons Why Government Technology and Procurement Practices Needs to Change

Nov 15, 2021

Washington — A study by market research firm Omdia released Monday explores reasons why most government departments rely on just one vendor for productivity software and why IT departments are choosing to select ease of management and end user familiarity with the tools at the expense of developing a best of breed approach that would…