Last week, the Trump Administration released its long awaited Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (“Cybersecurity EO” or “Executive Order”). The Order launches significant reviews of the federal government’s digital vulnerabilities, existing efforts to protect critical infrastructure, and the development of the “cyber workforce”, and focuses on three separate areas of cybersecurity improvement: federal networks, critical infrastructure, and the United States as a whole.
The new Cybersecurity Executive Order is a promising first step for the new White House’s digital security agenda. CCIA is encouraged by the new order’s efforts to build on existing policies that have already been shown to be effective, particularly the reliance on the NIST Cybersecurity Framework to shape risk management in federal digital systems, and the appropriate deference to the carefully scoped definition of which sectors are considered critical infrastructure.
In the case of federal networks, the Executive Order requires that the heads of federal agencies look to the risk-management standards and best practices found in NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which was initially produced pursuant to President Obama’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Those agencies must also produce a report to document their risk mitigation and acceptance decisions, and include their plans for implementing the NIST Framework. Lastly, the executive branch and federal agencies must show preference in procurement for “shared IT services” in their effort to “build and maintain a modern, secure, and more resilient” IT architecture.
The 2013 Executive Order on critical infrastructure again provides the basis for the Trump Administration Order’s directives in that space. The new Cybersecurity EO orders federal agencies to identify how they can better support the security efforts of critical infrastructure, as defined by Section 9 of President Obama’s 2013 order as those sectors where “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Importantly, no “commercial information technology products or consumer information technology services” can be designated as critical infrastructure under either executive order.
Finally, Section 3 of the new EO addresses “Cybersecurity for the Nation”, encompasses consumer cybersecurity and workforce issues. Encouragingly, the EO’s goal for national cybersecurity is to promote an “open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.”
To ensure the Internet retains these important characteristics in the future, federal agencies are to report on the Nation’s strategic deterrence options online, while the Departments of State, Commerce, Defense, Treasury, and Homeland Security are to identify their international priorities, which will be turned into a strategy international cooperation in cybersecurity by the State Department. The EO concludes by turning to relevant agencies to assess the readiness of the American cybersecurity workforce, the workforce development of foreign “cyber peers”, and U.S. efforts to maintain or increase its advantage in “national-security-related cyber capabilities.”
CCIA looks forward to working with the Administration as it continues in its efforts to ensure that the Internet remains “open, interoperable, reliable, and secure.”