Cyber Security Executive Order
On May 11 President Trump signed the “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” into law. This Executive Order had three main goals: To protect federal networks, reinforce critical IT infrastructure and to provide security to the American public online. The text of the order itself doesn’t add much in the way of steps to be taken by federal agencies, but it does add timelines for those agencies to improve their cyber practices.
The text of the order moves federal agencies to consolidate their networks into a cohesive whole, instead of the separate networks that each agency has. This has several benefits, such as allowing the agencies to pool their resources for large problems. It also means that agencies can work to develop defensive measures cooperatively instead of each agency producing them separately.
The Executive Order requires that “…each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.”
This means that federal agencies would have to use the NIST Cyber security Framework to structure their cybersecurity programs. This would make sense, as the second part of the order calls for an audit of all major systems. This would fulfill the part of the NIST Framework that calls for a risk management assessment to be used to determine how each system should be protected. Putting this requirement in the body of an Executive Order means that federal agencies now have the onus to pursue their cyber security protection goals.
The final part of the order calls for the United States to prepare a plan to protect its citizens online. This includes working with our allies overseas to develop an effective cyber security plan. The order requires that within 90 days all appropriate agencies will have submitted an overview of their top cyber security threats and procedures for dealing with them. The order also calls for the growth and development of a workforce skilled in cyber security practices, to help maintain the growing cyber infrastructure.
Another part of the third section of the order requires that the president be briefed on all viable strategies to protect the American citizen. This includes deterrence strategies that will make it less viable for foreign actors to commit a cybercrime against a US citizen. Possible deterrents could involve retaliatory cyber-attacks against repeat offenders, or it could mean tracking and turning over any cyber criminals to the appropriate authorities.
The report by federal agencies on vulnerabilities to botnet attacks and other forms of cyber-attack is required to be made public within 240 days of the order being signed into law. This would be a great benefit for the public and private sector. This report would also provide insight into how to improve the internet’s backbone and supporting services. This upgrade for the internet support structure would provide room for improvements in the future, which in turn could fuel economic growth. Part of the reports required is an overview of the viability of training a new workforce skilled in cyber security techniques and IT infrastructure.