Trump Administration’s Cybersecurity Executive Order Smartly Builds On Previous Efforts

May 16, 2017

Last week, the Trump Administration released its long awaited Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (“Cybersecurity EO” or “Executive Order”). The Order launches significant reviews of the federal government’s digital vulnerabilities, existing efforts to protect critical infrastructure, and the development of the “cyber workforce”, and focuses on three separate areas of cybersecurity improvement: federal networks, critical infrastructure, and the United States as a whole.

The new Cybersecurity Executive Order is a promising first step for the new White House’s digital security agenda. CCIA is encouraged by the new order’s efforts to build on existing policies that have already been shown to be effective, particularly the reliance on the NIST Cybersecurity Framework to shape risk management in federal digital systems, and the appropriate deference to the carefully scoped definition of which sectors are considered critical infrastructure.

In the case of federal networks, the Executive Order requires that the heads of federal agencies look to the risk-management standards and best practices found in NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which was initially produced pursuant to President Obama’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Those agencies must also produce a report to document their risk mitigation and acceptance decisions, and include their plans for implementing the NIST Framework. Lastly, the executive branch and federal agencies must show preference in procurement for “shared IT services” in their effort to “build and maintain a modern, secure, and more resilient” IT architecture.

The 2013 Executive Order on critical infrastructure again provides the basis for the Trump Administration Order’s directives in that space. The new Cybersecurity EO orders federal agencies to identify how they can better support the security efforts of critical infrastructure, as defined by Section 9 of President Obama’s 2013 order as those sectors where “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Importantly, no “commercial information technology products or consumer information technology services” can be designated as critical infrastructure under either executive order.

Finally, Section 3 of the new EO addresses “Cybersecurity for the Nation”, encompasses consumer cybersecurity and workforce issues. Encouragingly, the EO’s goal for national cybersecurity is to promote an “open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.”

To ensure the Internet retains these important characteristics in the future, federal agencies are to report on the Nation’s strategic deterrence options online, while the Departments of State, Commerce, Defense, Treasury, and Homeland Security are to identify their international priorities, which will be turned into a strategy international cooperation in cybersecurity by the State Department. The EO concludes by turning to relevant agencies to assess the readiness of the American cybersecurity workforce, the workforce development of foreign “cyber peers”, and U.S. efforts to maintain or increase its advantage in “national-security-related cyber capabilities.”

CCIA looks forward to working with the Administration as it continues in its efforts to ensure that the Internet remains “open, interoperable, reliable, and secure.”

Related Articles

CCIA Whitepaper Identifies National Security Risks Posed By House Bills Targeting U.S. Tech Companies

Sep 13, 2021

Washington — The Computer & Communications Industry Association has released a white paper on the national security implications of several House-passed bills aimed at a handful of U.S. tech companies as they compete with foreign companies. These bills were introduced in June 2021 and were marked up without legislative hearings or input from stakeholders, particularly…

Tech Associations Offer Digital Trade Priorities for Biden-Harris Administration

Jan 22, 2021

Washington — The Computer & Communications Industry Association joined 4 other associations in a statement to the incoming Biden Administration on digital trade. This is critical at a time when some longtime trading partners are enacting new barriers to cross-border delivery of digital services and goods. Industry encourages the Biden-Harris Administration to make open, rules-based…

New EU Cybersecurity Rules Should Promote Security Mitigation, Avoid Compliance Red Tape

Dec 16, 2020

Brussels, BELGIUM — The European Commission published today a legislative proposal to update the 2016 Network and Information Security Directive.  The proposal aims to reduce regulatory inconsistencies across the EU’s internal market and it encourages security information sharing to help companies effectively address future cybersecurity risks. But the proposal also suggests that cloud computing providers,…