Despite all of the distractions in Washington, the Trump administration quietly issued a Presidential Executive Order on Cyber Security as well as addressed the protection of critical infrastructure. In March, I made a few observations about where I believe the president should take a leadership position. With these recent developments, it seems prudent to slow down and see how the new directive ultimately transpired. My three major recommendations were as follows:
- Empower a cabinet-level leader to shape cyber space policy and standards across all agencies.
- Enhance government cyberthreat intelligence sharing with the civilian sector.
- Place an emphasis on training the cyberworkforce.
After reviewing the executive order, it appears that my predictions were met about halfway. While the president stopped short of creating a cabinet-level position, the new executive order does drive standardization of defensive cyber security policy, procedures and risk management. It is a great call to drive all agencies to conduct internal evaluations against the Cyber Security Framework developed by NIST. There's no question that it should be the foundation of risk management assessments since that is what the government has recommended for civilian industry. This concept is often referred to as “eating your own dogfood.”
The president was very clear that agency directors are solely responsible for the risk they accept should they become breached. This will likely drive different budgetary decisions to prioritize cybersecurity capabilities going forward. I think he fell a little short in terms of guidance for being offensive regarding cyber operations capabilities. Although, due to the highly sensitive nature, this guidance was likely issued by classified means and maybe amazingly not leaked.
There was really no discussion around cyber threat intelligence sharing in the EO, however. This might be due to the fact that the Obama EO already broke down barriers and the current administration did not feel the need to take on the subject at this time.
Wisely the president did direct the Secretary of Education and Commerce to asses our ability to train a professional cybersecurity workforce. This study is long overdue, and I hope it will help drive security competencies into all technical fields of education (e.g. computer science, electrical engineering, etc.).
In summary, the Trump cybersecurity EO directs a lot of information gathering. So, I think this is the beginning of a long-range strategy that will play out over the next four years. I think it is a good start and I look forward to seeing the maturation of our cyberspace policies over President Trump's term.
It is good to see this administration, as well as the last, acknowledge the significance of cybersecurity from a public and private standpoint. We need strong policies in place supported by appropriate funding to ensure that the United States has the resources and talent in place to keep pace with the surge of nation-state and advance attacks that are targeting our nation's most critical assets. This attitude will hopefully continue to evolve as quickly as the threats we all face.