After letting it languish somewhere in the recesses of a beleaguered White House for more than three months, Donald Trump today signed a Cybersecurity Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, meant to bring efficiency, clarity and additional protections to government IT systems.
The EO charges the government with reviewing its cyber posture and pins responsibility for cyber risk on those officials who lead federal agencies. Agencies must provide reports based on the National Institute of Standards & Technology (NIST) framework, the de facto standard, within 90 days. Overarching reports on the issues affecting critical infrastructure must be completed in six months.
“The executive order represents a very solid, thoughtful first step in setting cyberpolicy for the nation,” said Mike Overly, privacy and data security lawyer at Foley & Lardner LLP, who was involved with the EO in its earliest days. "In a word, that means ‘accountability.' The Order makes clear governmental agencies are going to be held accountable and provides the means for monitoring and ensuring that accountability.”
He also lauded the EO for embracing NIST's The Framework for Improving Critical Infrastructure Cybersecurity, but noted it isn't “suitable as a guide for all businesses.”
“It was designed to address critical infrastructure entities, such as governmental agencies, power distribution, banking, etc.,” he said. “It can provide guidance to other types of organizations, but needs to be scaled accordingly.”
In a week dominated by his dismissal of now former FBI Director James Comey and questions about the involvement of Trump surrogates with Russian operatives, the president probably could use a little good news and it seems like he got it with an EO that was roundly applauded by cybersecurity and privacy professionals – with a few caveats.
"Overall, this EO continues the general approach to cybersecurity that started in the Bush Administration and ran through the Obama Administration," said Michael Daniel, president of the Cyber Threat Alliance and former special assistant to President Obama and cybersecurity coordinator for the White House. "I concur that the signed version is an improvement over previous drafts. It will be interesting to see whether the deterrence report and the international strategy will say anything new – but in general, I don't see anything unusual or that really goes in a different policy direction. Of course, this order is more of a plan for a plan, because an EO can only direct federal agencies to do things they can already do within the law, but the reports it calls for are good ones to have, for the most part.”
Daniel added that he “strongly” supports “holding agencies accountable while also encouraging the move to shared services,” and praised the EO for focusing “on finding a solution to the botnet problem, looking at the electrical grid more closely, and further developing a workforce strategy,” which in his assessment “are all smart and important issues to tackle in today's cyber landscape.”
Rob Nichols, president and CEO of the American Bankers Association (ABA), believes the EO “will enhance the security of government systems and help protect our critical financial infrastructure – and ultimately bank customers – through enhanced information sharing and greater cross-industry collaboration.”
Saying that the financial services industry stands ready to protect the country's critical sectors and economic security, Nichols pledged that “America's banks will continue to work closely with the White House, Congress and others to establish clear lines of public-private communication, while avoiding inconsistent or duplicative regulation that might undermine our efforts to protect banks and the customers they serve.”